Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

:( Trojan Infection - Somebody Help Me Please :(


  • Please log in to reply
22 replies to this topic

#1 phil1066

phil1066

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 19 July 2008 - 04:31 AM

[EDIT - A work colleague of mine said I should come and seek your help following excellent results he got here too :-)]

A few weeks back I decided not to renew my Nortons Antivirus subscription and instead opted for AVG free, and all was looking fine until I downloaded a file which although was scanned by AVG, when installing the app it unleashed some trojans (I believe). Anyway, I could not really seem to find out what was attacking as AVG wasnt really reporting much, and I just started getting windows errors relating to rundll32s and web browsers opening up by themselves and browsing to pages.

So after running spybot and ad-aware didnt really find much. I then decided to buy Nortons again, so installed that and had a bit of difficulty getting it up and fully running scans. Had a few random automatic restarts along the way too. Eventually I saw a nortons message say something about vundo and virtumonde or something. A few scans later didnt really find anything so downloaded symantec tools for both. Ran spybot S&D which eventually did detect virtumonde, so I got it to 'fix' the items, reran several times, plus ran the removal tools - nothing further found.

Since then the PC has been running very slow with a process called ccSvcHst.exe consumng much of the CPU time, which I understood to be a known issue with NOrtons. I downloaded eusing free registry repair and ran that, getting rid of a whole bunch of rubbish.

Anyway, thought I would uninstall [EDIT - I actually ran the symantec removal tool here to uninstall] and reinstall the product to see if it got improvement, also I vetted the startup processes in msconfig and got unticked a few that I didnt need. Upon restart I got a userinit.exe error plus a run32dll error and could not get standard login to work at all. tried degub mode, no joy, then tried safe mode which did eventually work.

When trying to uninstall nortons again (which I couldnt) I noticed some new and unfamiliar products in the add/remove program list, such as "deewoo network manager removal", "enhancement browser tools gooochi" and "Mysidesearch search assistant bfinding", plus the browser not functioning and random pages coming up.

All this over a week with hours and hours spent trying different things - thought I had resolved it :thumbsup:

Help me before I BIFF the PC :-)

Edited by phil1066, 19 July 2008 - 04:26 PM.


BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 AM

Posted 19 July 2008 - 05:56 AM

1. download and run the norton's removal tool, then reboot
http://service1.symantec.com/Support/tsgen...005033108162039
save your key

2. if this is XP not vista

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note all I want is option 1 run from normal mode

3. Do a scan and fix with MBAM

http://www.bleepingcomputer.com/forums/ind...st&p=876163

Don't make any other changes for now, part of your problem is changing horses/av programs in mid stream/removing an infection

Make sure spybot's teatimer is completely disabled from resident protection

It may be too late
Chewy

No. Try not. Do... or do not. There is no try.

#3 phil1066

phil1066
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 19 July 2008 - 04:33 PM

Thanks Chewy, sorry, note a couple of EDITS in the first post, one may be important. Am on XP home btw.

Secondly, I guess I should have waited for a response before doing anything else - apologies, but here is what I have done since:

1) Got safe mode running, ran S&D Spybot, found Virtumonde - fixed (although I dont believe this based on last time)

2) Ran Nortons Antivirus, found Vundo trojan plus a few other unwanted bits - nortons reported partial fix on vundo

3) uninstalled those rogue entries from the add/remove programs list

4) currently running symantec vundo removal program scan tool

Once no.4 has finished I wont do anything else till I have heard back from you, as I do not want to compound issues further.


A couple of questions:

a) should I still follow your instructions?

:thumbsup: Also, note that I have wireless and cannot access net via safe mode with networking, so should I fire up normal logon or get a long ethernet cable and try and download direct via the modem?

(im writing this on my work laptop which wont let me download exe apps)

Thanks for your help and sorry if I have worsened things by not waiting.

Edited by phil1066, 19 July 2008 - 04:35 PM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 AM

Posted 19 July 2008 - 05:25 PM

OK let's put off norton's and still do 2 and 3

2 after a normal reboot and 3 after 2
Chewy

No. Try not. Do... or do not. There is no try.

#5 phil1066

phil1066
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 19 July 2008 - 08:14 PM

thanks will respond with results.

#6 phil1066

phil1066
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 20 July 2008 - 03:33 AM

Here are the results from the apps:

SmitFraudFix v2.329

Scan done at 16:06:41.81, Sun 20/07/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Documents and Settings\Owner\winlogon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Desktop\Components\1]
"Source"="7db39a0d-580f-4be9-9195-8bfcd226f6c2"
"SubscribedURL"=""
"FriendlyName"="Aqua Real"
[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Desktop\Components\2]
"Source"="http://gamercard.xbox.com/Pacmannz.card"
"SubscribedURL"="http://gamercard.xbox.com/Pacmannz.card"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe"
"OldUserinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet
Scheduler Miniport
DNS Server Search Order: 202.27.158.40
DNS Server Search Order: 202.27.156.72

HKLM\SYSTEM\CCS\Services\Tcpip\..\{77665C23-15CA-4E31-B26A-48B15A887821}:
NameServer=202.27.158.40,202.27.156.72
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D580E4E4-0CE4-4C04-9796-D90449C163A8}:
NameServer=202.27.158.40,202.27.156.72
HKLM\SYSTEM\CS3\Services\Tcpip\..\{77665C23-15CA-4E31-B26A-48B15A887821}:
NameServer=202.27.158.40,202.27.156.72
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D580E4E4-0CE4-4C04-9796-D90449C163A8}:
NameServer=202.27.158.40,202.27.156.72


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

8:24:28 p.m. 20/07/2008
mbam-log-7-20-2008 (20-24-20).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 152255
Time elapsed: 2 hour(s), 24 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 27
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
C:\Documents and Settings\Owner\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\pmnoNDTl.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f79228e-8b9a-40e5-b3f6-70f17b0c4da9} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0f79228e-8b9a-40e5-b3f6-70f17b0c4da9} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1ecc44fb-970d-4bc8-90e3-002da4dd21b8} (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{63bd4ee4-660b-434d-a54b-7c1f53e2fedd} (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d2c09c4-ec95-4251-81fd-1cd01fd8ae44} (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{d622e87a-35f9-4fb2-afee-4f5bf8407c7a} (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{ff14b02b-6ee4-400f-a729-b0ea35f921c2} (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{69620165-77dd-44ee-995c-3632e525a22b} (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f8d07b72-b4b4-46a0-acc0-c771d4614b82} (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\aosmtp.mail (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\aosmtp.mail.1 (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\aosmtp.fastsender (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\aosmtp.fastsender.1 (Spyware.Banker) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{093f9cf8-0de1-491c-95d5-5ec257bd4ca3} (Adware.EGDAccess) -> No action taken.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\RX ToolBar (Adware.RXToolbar) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft works portfolio (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnondtl -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnondtl -> No action taken.

Folders Infected:
C:\WINDOWS\system32\win1 (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> No action taken.

Files Infected:
C:\WINDOWS\system32\pmnoNDTl.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lTDNonmp.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lTDNonmp.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xsprjngq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qgnjrpsx.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> No action taken.
C:\Documents and Settings\Owner\winlogon.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\rqRhGWpp.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rqRLdBtT.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmnnKCTj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\efcAssSi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\khfCstUn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\khfFUMCu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUopqqO.dll (Trojan.vundo) -> No action taken.
C:\WINDOWS\Downloaded Program Files\dtc32.inf (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\tmlpcert2005 (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\mseggrpid.dll (Adware.EGDAccess) -> No action taken.


Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

8:27:41 p.m. 20/07/2008
mbam-log-7-20-2008 (20-27-41).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 152255
Time elapsed: 2 hour(s), 24 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 27
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
C:\Documents and Settings\Owner\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\pmnoNDTl.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f79228e-8b9a-40e5-b3f6-70f17b0c4da9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0f79228e-8b9a-40e5-b3f6-70f17b0c4da9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1ecc44fb-970d-4bc8-90e3-002da4dd21b8} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63bd4ee4-660b-434d-a54b-7c1f53e2fedd} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d2c09c4-ec95-4251-81fd-1cd01fd8ae44} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d622e87a-35f9-4fb2-afee-4f5bf8407c7a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ff14b02b-6ee4-400f-a729-b0ea35f921c2} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69620165-77dd-44ee-995c-3632e525a22b} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f8d07b72-b4b4-46a0-acc0-c771d4614b82} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.mail (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.mail.1 (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.fastsender (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.fastsender.1 (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{093f9cf8-0de1-491c-95d5-5ec257bd4ca3} (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RX ToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft works portfolio (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnondtl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnondtl -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\win1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pmnoNDTl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lTDNonmp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lTDNonmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xsprjngq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgnjrpsx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\winlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRhGWpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRLdBtT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnKCTj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcAssSi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfCstUn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfFUMCu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUopqqO.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\dtc32.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\tmlpcert2005 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mseggrpid.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.





Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

8:27:41 p.m. 20/07/2008
mbam-log-7-20-2008 (20-27-41).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 152255
Time elapsed: 2 hour(s), 24 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 27
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
C:\Documents and Settings\Owner\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\pmnoNDTl.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f79228e-8b9a-40e5-b3f6-70f17b0c4da9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0f79228e-8b9a-40e5-b3f6-70f17b0c4da9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1ecc44fb-970d-4bc8-90e3-002da4dd21b8} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63bd4ee4-660b-434d-a54b-7c1f53e2fedd} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d2c09c4-ec95-4251-81fd-1cd01fd8ae44} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d622e87a-35f9-4fb2-afee-4f5bf8407c7a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ff14b02b-6ee4-400f-a729-b0ea35f921c2} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69620165-77dd-44ee-995c-3632e525a22b} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f8d07b72-b4b4-46a0-acc0-c771d4614b82} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.mail (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.mail.1 (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.fastsender (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aosmtp.fastsender.1 (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{093f9cf8-0de1-491c-95d5-5ec257bd4ca3} (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RX ToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft works portfolio (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnondtl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnondtl -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\win1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pmnoNDTl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lTDNonmp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lTDNonmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xsprjngq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgnjrpsx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\winlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRhGWpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRLdBtT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnKCTj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcAssSi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfCstUn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfFUMCu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUopqqO.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\dtc32.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\tmlpcert2005 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mseggrpid.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 AM

Posted 20 July 2008 - 03:59 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry634693

Please follow the directions in this link for the ATF cleaner and SAS from safe mode

Before we go any further please read this article on computer security, if you want to continue so advise

http://technet.microsoft.com/en-us/library/cc512587.aspx
Chewy

No. Try not. Do... or do not. There is no try.

#8 phil1066

phil1066
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 20 July 2008 - 04:10 PM

just double checking here :-) you want me to download and run the ATF and SAS program as per the instructions? Or just download them?

Also, the other link mentions patching - as far as I know all my MS updates had been applied.

Also note that I do not have the original install CDs for the PC for windows, though I do have a copy of vista on CD but Im not sure my PC would cut it :-)

Edited by phil1066, 20 July 2008 - 04:12 PM.


#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 AM

Posted 20 July 2008 - 06:35 PM

I would give atf and SAS a try, your manufacturer is responsible for providing you the opportunity to reload

Your infection showed signs of malware designed to steal your confidental financial information, even after we think it's clean it may still be infected.
Chewy

No. Try not. Do... or do not. There is no try.

#10 phil1066

phil1066
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 21 July 2008 - 06:21 AM

hi chewy - well got atf and sas done, with the latter reporting 3 infections, vundo being amongst them. did the fix and restarted.

btw the instructions also mentioned running one of the three online antivirus programs - assumed I needed to ignore that?

Anyway, two things:

1. I have a portable hard-drive that was not connected during the sas scan, which I doubt would have been detected in safe mode anyway, given it uses a usb port driver. Do I need to get this scanned?

2. Xp starts up but is now missing a whole bunch of services (shown in msconfig as not started), and using the services tool I have tried to restart them but without success. ive noticed the services that are running in the ctrl-alt-del task list no longer have 'owner' marked against them either.

all a bit strange and I need your advice on what to do next :-)

cheers

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 AM

Posted 21 July 2008 - 07:59 AM

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

Please print these directions for running SDFix, this a very powerful program, your infection may not be curable with selfhelp tools, many aren't even curable with advanced tools

Repeating any of the reccomended steps and those online virus scans might be the trick that saves your computer, the one thing I have learned is there's no set formula for any of this
Chewy

No. Try not. Do... or do not. There is no try.

#12 phil1066

phil1066
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 22 July 2008 - 01:31 AM

hi chewy - just ran sdfix and here are the results:


SDFix: Version 1.207
Run by Owner on Tue 22/07/2008 at 14:26

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\hpeg.dll - Deleted



Folder C:\Temp\1cb - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 14:56:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a510f9c]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a510f9c]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:fb,07,9d,7a,9e,89,0c,5e,bf,37,bd,23,0e,a0,0f,4a,48,e1,a4,43,0f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000a3a510f9c]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:fb,07,9d,7a,9e,89,0c,5e,bf,37,bd,23,0e,a0,0f,4a,48,e1,a4,43,0f,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe:*:Enabled:Age of Empires 3"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Atari\\Deer Hunter 2005\\DH2005.exe"="C:\\Program Files\\Atari\\Deer Hunter 2005\\DH2005.exe:*:Enabled:DH2005"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\GameSpy Arcade\\Services\\_common\\RWVoice.exe"="C:\\Program Files\\GameSpy Arcade\\Services\\_common\\RWVoice.exe:*:Enabled:RogerWilco Lite for GameSpy Arcade"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"G:\\Family\\Programs\\GameSpy Arcade\\Aphex.exe"="G:\\Family\\Programs\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"G:\\Family\\Programs\\LimeWire\\LimeWire.exe"="G:\\Family\\Programs\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 8 Nov 2002 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 8 Nov 2002 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Sun 21 Nov 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sun 21 Nov 2004 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Fri 18 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 19 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Sat 19 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Wed 4 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4844df1d57a292079101da42a26d7d72\BIT6.tmp"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT251.tmp"
Fri 18 Jan 2008 23,510,720 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7be05330969a5a501b6e6caeca8ba779\BIT27A.tmp"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT250.tmp"
Wed 4 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT7.tmp"

Finished!


What next? Lots of services are still not running, including internet connections :-(

thanks for your help so far mate :-)

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 AM

Posted 22 July 2008 - 05:34 AM

Transfer the latest MBAM installer with manual updater to the infected computer and run another scan

You really do need the windows disk to at least have the option to run as a repair

Edited by DaChew, 22 July 2008 - 05:37 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#14 phil1066

phil1066
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 22 July 2008 - 03:12 PM

thanks will try that too - also have ordered another XP CD from HP, so should have that in a few days :-)

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 AM

Posted 22 July 2008 - 03:51 PM

Even if you reload after formating your C drive, be real careful with anything saved from limewire or another P2P program,
most of the infections like yours seem to come from installers seeded there. All they have to do is embed a 20KB trojan downloader.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users