Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo And God Knows What Else. Help!


  • This topic is locked This topic is locked
7 replies to this topic

#1 Hydrology

Hydrology

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 26 April 2008 - 09:13 PM

Running Vista Ultimate.
Out of the blue getting threat detect errors from AVG. Move to Vault, but when I do a scan, about 80% through AVG encounters an error and stops working. Uninstalled and redownloaded but same problem occurs. Using Safari now for web browsing. Trying to open control panel takes forever. IE7 automatically opens on its own every few minutes with the homepage set for some spyware software. I have used the Vundofix software but it keeps coming back.
Any ideas?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:22 AM, on 27/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dtvforum.info/index.php?act=idx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} - C:\Windows\system32\khfFwWNd.dll
O2 - BHO: (no name) - {F9D12DF8-F831-4CD6-8493-13F216B10298} - C:\Windows\system32\fccaATkI.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khfFwWNd.dll,#1
O4 - HKLM\..\Run: [BMc709d1e3] Rundll32.exe "C:\Windows\system32\hqqpnkiu.dll",s
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: pggbrnyp - pggbrnyp.dll (file missing)
O20 - Winlogon Notify: __c0059C14 - __c0059C14.dat (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 5454 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:10 PM

Posted 30 April 2008 - 08:54 AM

Hello Hydrology and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Hydrology

Hydrology
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 30 April 2008 - 06:18 PM

Thanks Thunder will report back later!

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:10 PM

Posted 30 April 2008 - 06:30 PM

Take your time, Hydrology,

but don't wait to long, as these infections tend to grow worse over time. :thumbsup:

I'll be looking forward to your logs.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Hydrology

Hydrology
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 01 May 2008 - 09:07 AM

Ok here is the Combo log, followed by the HT log:-

ComboFix 08-04-29.5 - Mark Hyland 2008-05-01 19:27:54.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.474 [GMT 8:00]
Running from: C:\Users\Mark Hyland\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Mark Hyland\AppData\Roaming\inst.exe
C:\Windows\system32\eqahhkvo.ini
C:\Windows\system32\iqhkcewu.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\nowtibpn.dll
C:\Windows\system32\rqrOHAPf.dll
C:\Windows\System32\tksibjyq.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-05-01 18:34 . 2008-05-01 18:34 <DIR> d-------- C:\Users\Mark Hyland\AppData\Roaming\Malwarebytes
2008-05-01 18:34 . 2008-05-01 18:34 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-05-01 18:34 . 2008-05-01 18:34 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-05-01 18:34 . 2008-05-01 18:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 09:32 . 2008-04-30 09:32 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-04-27 16:06 . 2008-04-27 16:06 <DIR> d-------- C:\Program Files\Kerkythea Rendering System
2008-04-27 16:05 . 2004-03-05 01:13 644,400 --a------ C:\Windows\System32\MSCOMCT2.OCX
2008-04-27 10:06 . 2008-04-27 10:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 18:42 . 2008-04-25 18:42 <DIR> d-------- C:\Deckard
2008-04-25 18:09 . 2008-04-25 18:09 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-04-23 20:22 . 2008-05-01 18:53 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-23 19:47 . 2008-04-25 18:09 <DIR> d-------- C:\VundoFix Backups
2008-04-23 18:23 . 2008-04-23 18:23 524,288 --ahs---- C:\Users\Mcx1\NTUSER.DAT{95d74d37-111a-11dd-8368-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 18:23 . 2008-04-23 18:23 524,288 --ahs---- C:\Users\Mcx1\NTUSER.DAT{95d74d37-111a-11dd-8368-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 18:23 . 2008-04-23 18:23 524,288 --ahs---- C:\Users\Guest\NTUSER.DAT{95d74d39-111a-11dd-8368-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 18:23 . 2008-04-23 18:23 524,288 --ahs---- C:\Users\Guest\NTUSER.DAT{95d74d39-111a-11dd-8368-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 18:23 . 2008-04-23 18:23 524,288 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{95d74d35-111a-11dd-8368-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 18:23 . 2008-04-23 18:23 524,288 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{95d74d35-111a-11dd-8368-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 18:23 . 2008-04-23 18:23 65,536 --ahs---- C:\Users\Mcx1\NTUSER.DAT{95d74d37-111a-11dd-8368-001060a36941}.TM.blf
2008-04-23 18:23 . 2008-04-23 18:23 65,536 --ahs---- C:\Users\Guest\NTUSER.DAT{95d74d39-111a-11dd-8368-001060a36941}.TM.blf
2008-04-23 18:23 . 2008-04-23 18:23 65,536 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{95d74d35-111a-11dd-8368-001060a36941}.TM.blf
2008-04-23 17:52 . 2008-04-23 17:52 <DIR> d-------- C:\Users\All Users\Grisoft
2008-04-23 17:52 . 2008-04-23 17:52 <DIR> d-------- C:\ProgramData\Grisoft
2008-04-23 17:52 . 2008-04-23 17:52 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-04-23 17:51 . 2008-04-23 17:52 524,288 --ahs---- C:\Users\Guest\NTUSER.DAT{95d74d26-111a-11dd-8368-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 17:51 . 2008-04-23 17:52 524,288 --ahs---- C:\Users\Guest\NTUSER.DAT{95d74d26-111a-11dd-8368-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 17:51 . 2008-04-23 17:52 524,288 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{95d74d1f-111a-11dd-8368-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 17:51 . 2008-04-23 17:52 524,288 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{95d74d1f-111a-11dd-8368-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 17:51 . 2008-04-23 17:52 65,536 --ahs---- C:\Users\Guest\NTUSER.DAT{95d74d26-111a-11dd-8368-001060a36941}.TM.blf
2008-04-23 17:51 . 2008-04-23 17:52 65,536 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{95d74d1f-111a-11dd-8368-001060a36941}.TM.blf
2008-04-23 17:48 . 2008-04-23 17:48 524,288 --ahs---- C:\Users\Mcx1\NTUSER.DAT{3163c059-1111-11dd-904f-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 17:48 . 2008-04-23 17:48 524,288 --ahs---- C:\Users\Mcx1\NTUSER.DAT{3163c059-1111-11dd-904f-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 17:48 . 2008-04-23 17:48 524,288 --ahs---- C:\Users\Guest\NTUSER.DAT{3163c05b-1111-11dd-904f-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 17:48 . 2008-04-23 17:48 524,288 --ahs---- C:\Users\Guest\NTUSER.DAT{3163c05b-1111-11dd-904f-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 17:48 . 2008-04-23 17:48 524,288 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{3163c057-1111-11dd-904f-001060a36941}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 17:48 . 2008-04-23 17:48 524,288 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{3163c057-1111-11dd-904f-001060a36941}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 17:48 . 2008-04-23 17:48 65,536 --ahs---- C:\Users\Mcx1\NTUSER.DAT{3163c059-1111-11dd-904f-001060a36941}.TM.blf
2008-04-23 17:48 . 2008-04-23 17:48 65,536 --ahs---- C:\Users\Guest\NTUSER.DAT{3163c05b-1111-11dd-904f-001060a36941}.TM.blf
2008-04-23 17:48 . 2008-04-23 17:48 65,536 --ahs---- C:\Users\Deanne Hyland\NTUSER.DAT{3163c057-1111-11dd-904f-001060a36941}.TM.blf
2008-04-23 17:36 . 2008-04-23 17:36 170,224 --ah----- C:\Windows\System32\mlfcache.dat
2008-04-23 08:29 . 2008-04-23 08:29 <DIR> d-------- C:\Program Files\Safari
2008-04-23 08:27 . 2008-04-23 08:27 <DIR> d-------- C:\Program Files\Bonjour
2008-04-23 08:27 . 2008-04-23 08:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-21 22:20 . 2008-04-21 22:22 <DIR> d-------- C:\Users\Mark Hyland\AppData\Roaming\Vso
2008-04-21 22:20 . 2008-04-21 22:22 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-04-21 22:20 . 2008-04-21 22:20 47,360 --a------ C:\Windows\System32\drivers\pcouffin.sys
2008-04-21 22:20 . 2008-04-21 22:20 47,360 --a------ C:\Users\Mark Hyland\AppData\Roaming\pcouffin.sys
2008-04-20 18:14 . 2008-04-20 20:03 <DIR> d-------- C:\Program Files\mkv2vob
2008-04-20 18:14 . 2008-04-20 18:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 14:01 . 2008-02-15 07:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 14:01 . 2008-02-19 13:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 14:01 . 2008-02-29 14:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 14:01 . 2008-02-29 14:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 14:01 . 2008-02-29 14:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 14:01 . 2008-02-29 14:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 14:01 . 2008-02-29 14:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 14:01 . 2008-02-29 14:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 14:01 . 2008-02-29 14:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 13:56 . 2008-02-21 12:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 13:56 . 2007-12-16 19:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 13:56 . 2007-12-16 19:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 10:18 --------- d-----w C:\Users\Mark Hyland\AppData\Roaming\AVG7
2008-04-30 04:22 --------- d-----w C:\Users\Mark Hyland\AppData\Roaming\uTorrent
2008-04-27 14:04 --------- d-----w C:\Users\Deanne Hyland\AppData\Roaming\AVG7
2008-04-27 08:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 08:03 --------- d-----w C:\Program Files\Google
2008-04-27 08:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-23 10:24 --------- d-----w C:\ProgramData\avg7
2008-04-23 09:47 --------- d-----w C:\Users\Guest\AppData\Roaming\AVG7
2008-04-23 09:08 --------- d-----w C:\Users\Mark Hyland\AppData\Roaming\Move Networks
2008-04-23 00:31 --------- d-----w C:\Users\Mark Hyland\AppData\Roaming\Apple Computer
2008-04-20 01:02 --------- d-----w C:\Program Files\AviSynth 2.5
2008-04-09 06:52 --------- d-----w C:\Program Files\Windows Mail
2008-03-29 16:27 --------- d-----w C:\Program Files\Mediafour
2008-03-21 08:53 --------- d-----w C:\Users\Guest\AppData\Roaming\vlc
2008-03-10 11:33 --------- d-----w C:\Program Files\Multimedia Mouse Driver
2008-03-10 03:04 --------- d-----w C:\Program Files\Red Kawa
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 07:51 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 07:47 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 07:47 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 07:47 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 07:47 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 07:47 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 07:46 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 07:46 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 07:46 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 07:46 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 07:46 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 07:46 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 07:46 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-11-04 23:15 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 20:34 125440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-08 07:11 171448]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-25 17:51 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-23 17:52 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-23 17:52 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pggbrnyp]
pggbrnyp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0059C14]
__c0059C14.dat

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc709d1e3]
C:\Windows\system32\ekwlutcv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-29 03:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Line Speed Meter]
--a------ 2006-11-04 14:09 2990080 C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Windows\system32\jkkiFvus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 22:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-11 02:03 1232896 C:\Program Files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-11-08 07:11 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-11-05 07:23 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 20:32 2159104 C:\Windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
--a------ 2005-11-30 11:48 94208 C:\Program Files\Multimedia Mouse Driver\StartAutorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1571062509-1077538053-46358308-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{CABF09DC-5DEB-461D-9A2B-E4E49A173B27}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{2EA531A2-E86C-435C-8AFF-844ACD460B21}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{D7F38F40-4DD3-42AF-A74D-65941DB24234}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{AFFB732D-F114-4C08-B0F9-108E7F5FC495}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{C7B3C3ED-68FE-4999-A79B-D5FB5BEE4A3A}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{F5C9EAFE-24E6-411B-B1C8-2EB67B030907}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{EBA0E0A9-DE23-48D3-9CD2-F37B2E8FF321}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6DED463F-0160-453F-8368-1B9242C898B2}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{51AAFE0B-7142-4EDC-8BEE-BE7DC06E30B4}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{15F57EA5-DD41-4431-941B-A29D5A28BD9C}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9E1FBFB1-3E5A-45C3-B724-702A9CBD5EF1}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6877F69B-2BEB-4AD6-95A1-52A0E6C58287}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{DC158DEA-A605-4F68-B28D-C1560E7A0813}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{199897E1-F3F9-42A3-BA18-5C3FBB8E0953}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\Windows\system32\DRIVERS\fetnd5bv.sys [2006-12-20 06:00]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 16:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

.
Contents of the 'Scheduled Tasks' folder
"2008-05-01 13:00:00 C:\Windows\Tasks\User_Feed_Synchronization-{F4E6127F-2551-425F-9889-22352CB248D6}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 21:00:00
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\conime.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-01 21:02:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 13:02:22

Pre-Run: 36,227,948,544 bytes free
Post-Run: 36,581,072,896 bytes free

233 --- E O F --- 2008-04-23 08:49:14


HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:26 PM, on 1/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dtvforum.info/index.php?act=idx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: pggbrnyp - pggbrnyp.dll (file missing)
O20 - Winlogon Notify: __c0059C14 - __c0059C14.dat (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 4682 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:10 PM

Posted 01 May 2008 - 02:52 PM

Hello Hydrology,

That cleaned up nicely. :thumbsup:

Some leftovers :
Open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pggbrnyp]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0059C14]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc709d1e3]

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Hydrology

Hydrology
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 01 May 2008 - 06:12 PM

Looks like it wórked a treat Thunder. Thanks a million - youre a star!

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:10 PM

Posted 02 May 2008 - 02:37 AM

Glad we could help, Hydrology :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users