Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo and other maladies


  • Please log in to reply
16 replies to this topic

#16 helpimstuck

helpimstuck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 29 December 2008 - 08:48 PM

Tell me about it :thumbsup: I warned my mom not to open attachments, I guess this is what she gets. Here is the SDFix log, I ran it in safe mode but when it rebooted and continued in regular mode the registry editing was disabled, so I'm not sure if I should F8 on the reboot and let it finish in safe mode?

Thanks.


SDFix: Version 1.240
Run by Administrator on Mon 12/29/2008 at 01:10 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\x.exe - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\hs.exe - Deleted
C:\WINDOWS\system32\i - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 18:10:12
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDDLL\0000]
"Service"="msddll"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="msddll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETSTATS\0000]
"Service"="netstats"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="netstats"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDDLL\0000]
"Service"="msddll"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="msddll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETSTATS\0000]
"Service"="netstats"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="netstats"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\\Program Files\\mspaint.exe"="C:\\Program Files\\mspaint.exe:*:Enabled:MSPaint Bonus Pack"
"C:\\WINDOWS\\system32\\eg.exe"="C:\\WINDOWS\\system32\\eg.exe:*:Enabled:Net Status"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 29 Dec 2008 659,968 ..SHR --- "C:\Program Files\SYSTMEM.EXE"
Sat 20 Dec 2008 1,264,640 ..SHR --- "C:\WINDOWS\SYSTEM\VMwareService.exe"
Mon 15 Dec 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 6 Dec 2004 200,704 A..H. --- "C:\Program Files\MTV Networks\VOpt\libcurl.dll"
Mon 6 Dec 2004 604,160 A..H. --- "C:\Program Files\MTV Networks\VOpt\libxml2.dll"
Tue 18 Mar 2003 499,712 A..H. --- "C:\Program Files\MTV Networks\VOpt\msvcp71.dll"
Fri 21 Feb 2003 348,160 A..H. --- "C:\Program Files\MTV Networks\VOpt\msvcr71.dll"
Tue 18 Mar 2003 544,768 A..H. --- "C:\Program Files\MTV Networks\VOpt\msvcr71d.dll"
Wed 17 Dec 2008 169,472 ..SHR --- "C:\WINDOWS\SYSTEM32\DRIVERS\SYSTMON.EXE"
Tue 6 Jan 2004 44,032 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\~WRL0046.tmp"
Sun 30 Nov 2003 38,400 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\~WRL0535.tmp"
Mon 15 Dec 2003 44,032 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\~WRL1445.tmp"
Tue 6 Jan 2004 48,128 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\~WRL2223.tmp"
Tue 6 Jan 2004 45,056 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\~WRL2576.tmp"
Sun 30 May 2004 374,784 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\RaasGarba\~WRL0772.tmp"
Fri 12 Nov 2004 45,912 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sun 4 Jan 2004 28,672 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\Application Data\Microsoft\Word\~WRL0809.tmp"
Sun 4 Jan 2004 162,304 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\Application Data\Microsoft\Word\~WRL1021.tmp"
Sun 4 Jan 2004 36,864 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\Application Data\Microsoft\Word\~WRL1045.tmp"
Sun 4 Jan 2004 61,440 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\Application Data\Microsoft\Word\~WRL2437.tmp"
Sun 4 Jan 2004 107,520 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\Application Data\Microsoft\Word\~WRL3102.tmp"
Sun 4 Jan 2004 35,328 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\Application Data\Microsoft\Word\~WRL3651.tmp"
Mon 12 Dec 2005 24,064 A..H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\COMS Project\~WRL2260.tmp"
Mon 20 Sep 2004 23,552 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\Envy - October 2, 2004\~WRL1778.tmp"
Mon 20 Sep 2004 23,552 ...H. --- "C:\Documents and Settings\Nisha Bella Patel\My Documents\Nisha Bella Patel\Envy - October 2, 2004\~WRL2384.tmp"

Finished!

BC AdBot (Login to Remove)

 


#17 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:44 AM

Posted 29 December 2008 - 09:11 PM

Hello again. I see the malware here is going to keep regenerating itself. It is deeply rooted and protected. we will neeed to run other tools and repair the registry,but not here. You now have to follow these instructions Preparation Guide For Use Before Using Hijackthis to complete the removal safely.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users