Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 robsha

robsha

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 06 March 2008 - 12:31 AM

virtmonde infection in wvuvs.exe
ran vundofix and virtmondobegone
now ran combofix -- combofix log and hijackthis log attached
Thanx much

combofix

ComboFix 08-03-05.1 - Rob 2008-03-05 21:03:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.162 [GMT -8:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive10.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BMff4443bc.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bedrykjw.dll
C:\WINDOWS\system32\enmochhs.dll
C:\WINDOWS\SYSTEM32\guafrqfj.ini
C:\WINDOWS\SYSTEM32\mhoveqos.ini
C:\WINDOWS\system32\ovrnyafn.dll
C:\WINDOWS\SYSTEM32\pgkbsjay.ini
C:\WINDOWS\system32\slseofpo.dll
C:\WINDOWS\system32\soqevohm.dll
C:\WINDOWS\SYSTEM32\svuvw.ini
C:\WINDOWS\SYSTEM32\svuvw.ini2
C:\WINDOWS\system32\vhvwcmdb.dll
C:\WINDOWS\system32\wvuvs.dll
C:\WINDOWS\system32\wvuvs.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 21:15 . 2008-03-05 21:15 318 --ahs---- C:\WINDOWS\SYSTEM32\svuvw.ini
2008-03-05 21:14 . 2008-03-05 21:14 338,944 --a------ C:\WINDOWS\SYSTEM32\wvuvs.dll
2008-03-05 19:39 . 2008-03-05 19:39 342,528 --a------ C:\WINDOWS\SYSTEM32\RCX81.tmp
2008-03-04 08:10 . 2008-03-05 19:46 1,303,140 ---hs---- C:\WINDOWS\SYSTEM32\ebvapxpl.ini
2008-03-03 08:08 . 2008-03-04 08:08 1,302,960 ---hs---- C:\WINDOWS\SYSTEM32\jweaxfih.ini
2008-03-03 07:59 . 2008-03-03 08:05 354 ---hs---- C:\WINDOWS\SYSTEM32\xmewauln.ini
2008-03-02 21:53 . 2008-03-02 21:53 342,528 --a------ C:\WINDOWS\SYSTEM32\RCX8E.tmp
2008-03-02 15:38 . 2008-03-02 15:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 14:49 . 2008-03-03 08:00 <DIR> d-------- C:\VundoFix Backups
2008-03-01 08:51 . 2008-03-01 08:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-01 08:51 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2008-03-01 08:51 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2008-03-01 08:51 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2008-03-01 08:51 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys
2008-03-01 08:50 . 2008-03-01 08:50 <DIR> d-------- C:\Program Files\Webroot
2008-03-01 08:50 . 2008-03-01 08:50 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Webroot
2008-03-01 08:50 . 2008-03-01 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-01 08:50 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-18 20:56 . 2008-03-01 08:42 294 ---hs---- C:\WINDOWS\SYSTEM32\isobeqjo.ini
2008-02-18 20:46 . 2008-03-01 12:20 249,856 --a------ C:\WINDOWS\SYSTEM32\keyhook .exe
2008-02-18 20:46 . 2008-03-01 12:20 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2008-02-16 00:19 . 2008-03-01 10:04 380,416 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-02-16 00:18 . 2008-02-16 00:18 270,698 --a------ C:\WINDOWS\SYSTEM32\LD07.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 05:10 --------- d-----w C:\Program Files\QuickTime
2008-03-06 05:10 --------- d-----w C:\Program Files\Apoint
2008-03-06 03:39 490,496 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
2008-03-03 00:46 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-03 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-01 20:23 --------- d-----w C:\Documents and Settings\Rob\Application Data\AdobeUM
2008-03-01 18:07 --------- d-----w C:\Program Files\McAfee.com
.
<pre>
----a-w		   742,400 2008-03-01 22:43:03  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager	  .exe
----a-w		   742,400 2008-03-01 20:21:02  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager	 .exe
----a-w		   742,400 2008-03-01 20:08:47  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager	.exe
----a-w		   742,400 2008-03-01 19:18:54  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager   .exe
----a-w		   742,400 2008-03-01 18:02:16  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager  .exe
----a-w		   307,200 2008-03-01 18:20:56  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   155,648 2008-03-06 04:24:05  C:\Program Files\Apoint\Apoint .exe
----a-w			50,760 2008-03-06 04:25:00  C:\Program Files\Common Files\AOL\1163393549\ee\AOLSoftware .exe
----a-w		   124,520 2008-03-06 04:24:17  C:\Program Files\Common Files\AOL\IPHSend\IPHSend .exe
----a-w		   110,592 2008-03-01 20:21:27  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w		   217,088 2008-03-06 04:24:08  C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w			49,152 2008-03-01 20:21:43  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
----a-w		   188,416 2008-03-01 20:21:43  C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp .exe
----a-w			61,440 2008-03-06 04:24:14  C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient .exe
----a-w			32,881 2008-03-06 04:24:04  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		   110,592 2008-03-01 18:35:26  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w		   483,840 2008-03-01 18:03:43  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
----a-w		   483,840 2008-03-01 18:19:40  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w		 1,121,280 2008-03-01 20:22:10  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		   303,104 2008-03-06 04:24:29  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w		   578,560 2008-03-06 05:03:54  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w		   578,560 2008-03-06 05:16:22  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w		   151,552 2008-03-02 23:48:09  C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
----a-w		   163,840 2008-03-02 23:47:47  C:\Program Files\McAfee.com\VSO\mcvsshld .exe
----a-w			53,248 2008-03-02 23:47:32  C:\Program Files\McAfee.com\VSO\oasclnt .exe
----a-w		 1,511,453 2008-03-01 17:15:01  C:\Program Files\Messenger\msmsgs .exe
----a-w			53,248 2008-03-06 04:24:11  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w		   118,784 2008-03-06 04:24:13  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
----a-w		   430,592 2008-03-06 03:46:04  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   430,592 2008-03-06 03:38:44  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   430,592 2008-03-03 05:58:39  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   430,592 2008-03-03 05:52:46  C:\Program Files\QuickTime\qttask				.exe
----a-w		   430,592 2008-03-03 05:19:43  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   430,592 2008-03-03 04:17:30  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   430,592 2008-03-03 00:16:48  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   430,592 2008-03-02 23:47:17  C:\Program Files\QuickTime\qttask			.exe
----a-w		   430,592 2008-03-02 01:13:40  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   430,592 2008-03-02 01:02:34  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   430,592 2008-03-02 00:18:48  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   430,592 2008-03-02 00:04:56  C:\Program Files\QuickTime\qttask		.exe
----a-w		   430,592 2008-03-01 23:26:21  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   430,592 2008-03-01 23:21:35  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   430,592 2008-03-01 20:10:38  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   430,592 2008-03-01 20:02:57  C:\Program Files\QuickTime\qttask	.exe
----a-w		   430,592 2008-03-01 19:10:13  C:\Program Files\QuickTime\qttask   .exe
----a-w		   430,592 2008-03-01 18:02:47  C:\Program Files\QuickTime\qttask  .exe
----a-w		   430,592 2008-03-01 17:11:18  C:\Program Files\QuickTime\qttask .exe
----a-w			26,112 2008-03-06 04:24:18  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		   111,816 2008-03-06 04:24:19  C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
----a-w		 5,367,664 2008-03-01 18:06:09  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w			28,672 2008-03-01 20:20:21  C:\WINDOWS\SYSTEM32\DSentry .exe
----a-w		   249,856 2008-03-01 20:20:21  C:\WINDOWS\SYSTEM32\keyhook .exe
----a-w		   114,741 2008-03-01 20:20:22  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
----a-w		   188,416 2008-03-01 20:21:15  C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09 .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0542E4E-6C7A-4190-85DA-CE70FCA61342}]
2008-03-05 21:14 338944 --a------ C:\WINDOWS\System32\wvuvs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 12:41 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [ ]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [ ]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [ ]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [ ]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\MCUPDA~2.EXE" [2008-03-05 21:16 578560]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [ ]
"McRegWiz"="c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [ ]
"BMff4443bc"="C:\WINDOWS\System32\jliectpp.dll" [2008-03-05 21:17 91712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-05-24 15:45:07 335872]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-01-06 22:00:10 36864]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\System32\wvuvs.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\wvuvs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMff4443bc]
--a------ 2002-08-29 02:00 31744 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-03-01 12:03 419840 C:\Program Files\Common Files\AOL\1163393549\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2008-03-01 12:03 393216 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
--a------ 2008-03-05 21:16 342528 C:\WINDOWS\System32\wvuvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2008-03-05 21:03 578560 c:\PROGRA~1\mcafee.com\agent\MCUPDA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2008-03-01 14:44 1490432 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2008-03-01 10:03 396800 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
C:\Program Files\QdrModule\QdrModule12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack13]
C:\Program Files\QdrPack\QdrPack13.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
--a------ 2008-03-01 14:43 531968 C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2008-03-01 14:43 453632 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2008-03-01 14:43 742400 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2008-03-01 10:03 532992 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2008-03-01 14:43 521216 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 13:29]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 22:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys [2004-09-24 23:36]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2004-08-09 10:54:43 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2008-03-01 16:51:25 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 21:15:26
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\svuvw.ini2 318 bytes
C:\WINDOWS\system32\wvuvs.exe 342528 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2800.1106]
-> C:\WINDOWS\System32\wvuvs.dll
-> C:\WINDOWS\System32\jliectpp.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
.
**************************************************************************
.
Completion time: 2008-03-05 21:19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 05:19:09

hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:11 PM, on 3/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
F3 - REG:win.ini: load=C:\WINDOWS\System32\wvuvs.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\MCUPDA~2.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [BMff4443bc] Rundll32.exe "C:\WINDOWS\System32\jliectpp.dll",s
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5573 bytes

BC AdBot (Login to Remove)

 


m

#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:02 AM

Posted 09 March 2008 - 09:20 AM

Hello robsha

Welcome to the Bleeping Computer Malware Removal Forum The variant of Vundo that your infected with includes a File Infector All the files and folders inside the Blue Code Box have been infected by this Trojan. We are going to Attempt to clean those files, the ones that cannot be cleaned I am afraid your going to have to uninstall and reinstall.

First go to your Add Remove Programs in the Control Panel and uninstall Viewpoint
C:\Program Files\Viewpoint <-- Delete this folder.


Drag the copy of Combofix to the trash and download a fresh copy as its updated on a regular basis. Make sure you save it to your desktop

Download Combofix from any of the links below, and save it to your desktop. <-- Important
Link 1
Link 2
Link 3



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Killall::

Killall::

RenV::
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager	  .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager	 .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager	.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager   .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager  .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Apoint\Apoint .exe
C:\Program Files\Common Files\AOL\1163393549\ee\AOLSoftware .exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp .exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient .exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
C:\Program Files\McAfee\SpamKiller\MskAgent .exe
C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\McAfee.com\Agent\mcupdate .exe
C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
C:\Program Files\McAfee.com\VSO\mcvsshld .exe
C:\Program Files\McAfee.com\VSO\oasclnt .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
C:\Program Files\QuickTime\qttask				   .exe
C:\Program Files\QuickTime\qttask				  .exe
C:\Program Files\QuickTime\qttask				 .exe
C:\Program Files\QuickTime\qttask				.exe
C:\Program Files\QuickTime\qttask			   .exe
C:\Program Files\QuickTime\qttask			  .exe
C:\Program Files\QuickTime\qttask			 .exe
C:\Program Files\QuickTime\qttask			.exe
C:\Program Files\QuickTime\qttask		   .exe
C:\Program Files\QuickTime\qttask		  .exe
C:\Program Files\QuickTime\qttask		 .exe
C:\Program Files\QuickTime\qttask		.exe
C:\Program Files\QuickTime\qttask	   .exe
C:\Program Files\QuickTime\qttask	  .exe
C:\Program Files\QuickTime\qttask	 .exe
C:\Program Files\QuickTime\qttask	.exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
C:\WINDOWS\SYSTEM32\DSentry .exe
C:\WINDOWS\SYSTEM32\keyhook .exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09 .exe

File::
C:\WINDOWS\SYSTEM32\svuvw.ini
C:\WINDOWS\SYSTEM32\wvuvs.dll
C:\WINDOWS\SYSTEM32\ebvapxpl.ini
C:\WINDOWS\SYSTEM32\jweaxfih.ini
C:\WINDOWS\System32\jliectpp.dll
C:\WINDOWS\SYSTEM32\xmewauln.ini
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\SYSTEM32\LD07.tmp

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0542E4E-6C7A-4190-85DA-CE70FCA61342}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMff4443bc"=-

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack13]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by ken545, 09 March 2008 - 10:03 AM.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:02 AM

Posted 28 March 2008 - 05:39 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users