Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/Vundo


  • Please log in to reply
5 replies to this topic

#1 insomnicat

insomnicat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 03 January 2009 - 03:52 AM

Hey, I'm here because I need help with a virtumonde/vundo problem, I'm almost positive it came from old java and not having enable java unchecked in firefox. I've run all sorts of scans both in and out of safe-mode and need to make sure that my system is actually clean and that this little bugger won't come back.

All this started on December 20th. I was in the middle of something, when Spybot's teatimer began going crazy with registry changes, and every time I denied something it would keep coming back. I ran spybot and my CA antivirus (which now I'm starting to suspect is crap), spybot came up with some sort of windowsfirewall.bypass entry that kept coming back after cleaning and restarting. CA's realtime scanner eventually alerted me to 2 vundo infected files after the spybot scan, only one of which was cleaned. When popups began coming up I immediately disconnected from the internet, and after some net searching on another computer, I thought it'd be best to restore to December 1st, clear all restore points and set a new one.

Everything seemed all great and well (clean scans on both) after I did this, but then a week later to my disappointment, my firewall suddenly was disabled, then CA found something new, something that didn't even come up in a google search. I sys restored again and cleared my points thinking it was something new contracted since the last restore point. A day or two later, Spybot found a virtumonde process running (I told it to kill it every time it found it running).

At this point I realized this was serious and needed more thorough treatment. I did a lot of searching and found this site, as well as your self-help guide for removing virtumonde. I also called my neighbor up (a microsoft employee) and he recommended that I run spybot as well as install AVG and run both in safe mode. He said that I can remove AVG or CA at the end of this fiasco or whenever I don't need to scan anymore. I've disabled CA real-time temporarily.

To date, I've run CA, AVG, Spybot, MalwareBytes AntiMalware and Vundofix (both the symantec and atribune versions) many times in safe mode and normal mode. I've let them fix and remove anything they've detected and now I APPEAR to be all clean, but I really would like to make sure before I start using this computer again.

2 additional questions besides "am I clean?" Firstly, should I uninstall java while we're still making sure everything's gone, and secondly, is it safe to clear all my restore points at this time to prevent reinfection? Some of my scans are catching things in the "System Volume Information" folder, so no restore point is probably clean in there and worth saving anyway.

Thank you for the help in advance :thumbsup:

DDS (Version 1.1.0) - NTFSx86  
Run by Alison at  3:39:52.45 on Sat 01/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2045.1386 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: CA Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CA\AV2007\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\AV2007\CA Anti-Virus\VetMsg.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\AV2007\cctray\cctray.exe
C:\Program Files\CA\AV2007\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alison\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [cctray] "c:\program files\ca\av2007\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\av2007\ca anti-virus\CAVRID.exe"
mRun: [<NO NAME>] 
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alison\applic~1\mozilla\firefox\profiles\wgywus3d.default\
FF - component: c:\documents and settings\alison\application data\mozilla\firefox\profiles\wgywus3d.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [1980-1-1 70784]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-31 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-31 26824]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\VET-FILT.sys [2008-1-10 26640]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\VET-REC.sys [2008-1-10 21392]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VETEFILE.sys [2008-9-9 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VETFDDNT.sys [2008-1-10 21648]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\VETMONNT.sys [2008-1-10 32528]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-31 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-31 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-31 76040]
R2 CAISafe;CAISafe;c:\program files\ca\av2007\ca anti-virus\ISafe.exe [2008-1-10 144960]
R2 VETMSGNT;VET Message Service;c:\program files\ca\av2007\ca anti-virus\VetMsg.exe [2008-1-10 243216]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VETEBOOT.sys [2008-9-9 108368]

=============== Created Last 30 ================

2008-12-31 23:13	<DIR>	--d-----	C:\VundoFix Backups
2008-12-31 22:12	<DIR>	--d-----	c:\docume~1\alison\applic~1\Malwarebytes
2008-12-31 22:12	15,504	a-------	c:\windows\system32\drivers\mbam.sys
2008-12-31 22:12	38,496	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 22:12	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2008-12-31 22:12	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-31 21:18	<DIR>	--d-h---	C:\$AVG8.VAULT$
2008-12-31 13:54	10,520	a-------	c:\windows\system32\avgrsstx.dll
2008-12-31 13:54	76,040	a-------	c:\windows\system32\drivers\avgtdix.sys
2008-12-31 13:53	97,928	a-------	c:\windows\system32\drivers\avgldx86.sys
2008-12-31 13:53	<DIR>	--d-----	c:\windows\system32\drivers\Avg
2008-12-31 13:53	<DIR>	--d-----	c:\program files\AVG
2008-12-31 13:53	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\avg8
2008-12-20 19:15	<DIR>	--d-----	c:\program files\Lavasoft
2008-12-20 14:10	<DIR>	--d-----	c:\program files\Nero
2008-12-20 08:33	<DIR>	--d-----	C:\WINDOWS.0
2008-12-08 13:56	54,156	a---h---	c:\windows\QTFont.qfn
2008-12-08 13:56	1,409	a-------	c:\windows\QTFont.for

==================== Find3M  ====================

2008-12-20 22:15	170,754	a-------	c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-12-19 18:53	18,196	a-------	c:\windows\DIIUnin.dat
2008-12-12 12:27	3,067,392	a-------	c:\windows\system32\dllcache\mshtml.dll
2008-11-26 16:12	21,840	a------t	c:\windows\system32\SIntfNT.dll
2008-11-26 16:12	17,212	a------t	c:\windows\system32\SIntf32.dll
2008-11-26 16:12	12,067	a------t	c:\windows\system32\SIntf16.dll
2008-11-26 15:48	2,829	a-------	c:\windows\DIIUnin.pif
2008-11-26 15:48	94,208	a-------	c:\windows\DIIUnin.exe
2008-10-24 06:10	453,632	a-------	c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01	283,648	a-------	c:\windows\system32\gdi32.dll
2008-10-23 08:01	283,648	a-------	c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13	1,809,944	a-------	c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13	202,776	a-------	c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12	323,608	a-------	c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12	561,688	a-------	c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09	92,696	a-------	c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09	51,224	a-------	c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08	34,328	a-------	c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57	332,800	a-------	c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:18	18,432	a-------	c:\windows\system32\dllcache\iedw.exe
2008-09-10 20:15	1,283,912	a-------	c:\program files\WoW-2.3.0.7561-enUS-downloader.exe

============= FINISH:  3:40:01.71 ===============

CA Logs:
CA Antivirus:
12/20/2008 19:15:44 PM File infection: C:\WINDOWS\SYSTEM32\WUGUYIBU.DLL is Win32/Vundo.BQB trojan. Deleted

12/20/2008 19:15:45 PM File infection: C:\WINDOWS\SYSTEM32\WUGUYIBU.DLL is Win32/Vundo.BQB trojan. 

12/20/2008 20:44:26 PM File infection: C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP74\A0009531.dll is Win32/Vundo.BQB trojan. Deleted

12/20/2008 20:44:26 PM File infection: C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP74\A0009531.dll is Win32/Vundo.BQB trojan.
 
12/20/2008 20:44:26 PM File infection: C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP74\A0009531.dll is Win32/Vundo.BQB trojan. 

12/20/2008 20:44:26 PM File infection: C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP74\A0009531.dll is Win32/Vundo.BQB trojan. 

12/27/2008 23:18:31 PM File infection: C:\DOCUME~1\Alison\LOCALS~1\Temp\winvsnet.tmp is Win32/Fishdown.AF trojan. Deleted

12/27/2008 23:18:31 PM File infection: C:\DOCUME~1\Alison\LOCALS~1\Temp\winvsnet.tmp is Win32/Fishdown.AF trojan.
 
12/27/2008 23:18:31 PM File infection: C:\DOCUME~1\Alison\LOCALS~1\Temp\winvsnet.tmp is Win32/Fishdown.AF trojan.
 
12/28/2008 20:53:38 PM File infection: C:\WINDOWS\system32\wpv491229768425.cpx is Win32/SillyDl.GFU trojan. Deleted

12/28/2008 20:53:38 PM File infection: C:\WINDOWS\system32\wpv491229768425.cpx is Win32/SillyDl.GFU trojan. 

12/28/2008 20:53:38 PM File infection: C:\WINDOWS\system32\wpv491229768425.cpx is Win32/SillyDl.GFU trojan. 

12/28/2008 20:53:39 PM File infection: C:\WINDOWS\system32\wvUmnnNh.dll is Win32/VundoCryptorAA!generic trojan. Deleted

12/28/2008 20:53:39 PM File infection: C:\WINDOWS\system32\wvUmnnNh.dll is Win32/VundoCryptorAA!generic trojan. 

12/28/2008 20:53:39 PM File infection: C:\WINDOWS\system32\wvUmnnNh.dll is Win32/VundoCryptorAA!generic trojan. 

12/31/2008 13:09:53 PM File infection: C:\WINDOWS\system32\tuvTmJCv.dll is Win32/VundoCryptorE trojan. Deleted

12/31/2008 13:09:53 PM File infection: C:\WINDOWS\system32\tuvTmJCv.dll is Win32/VundoCryptorE trojan. 

12/31/2008 13:09:53 PM File infection: C:\WINDOWS\system32\tuvTmJCv.dll is Win32/VundoCryptorE trojan. 

12/31/2008 13:09:53 PM File infection: C:\WINDOWS\system32\tuvTmJCv.dll is Win32/VundoCryptorE trojan. 

12/31/2008 13:09:53 PM File infection: C:\WINDOWS\system32\tuvTmJCv.dll is Win32/VundoCryptorE trojan. 

12/31/2008 13:09:53 PM File infection: C:\WINDOWS\system32\tuvTmJCv.dll is Win32/VundoCryptorE trojan. 

12/31/2008 22:08:44 PM File infection: C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP88\A0012734.dll is Win32/VundoCryptorE trojan.

MBAM logs:
Malwarebytes' Anti-Malware 1.31
Database version: 1587
Windows 5.1.2600 Service Pack 2

12/31/2008 10:26:11 PM
mbam-log-2008-12-31 (22-26-11).txt

Scan type: Quick Scan
Objects scanned: 62641
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wpv021229907443.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alison\Local Settings\Temporary Internet Files\Content.IE5\3ZIW1UIA\load[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.31
Database version: 1587
Windows 5.1.2600 Service Pack 2

12/31/2008 10:57:39 PM
mbam-log-2008-12-31 (22-57-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146935
Time elapsed: 31 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP88\A0012723.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP88\A0012734.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 PM

Posted 05 January 2009 - 05:51 AM

Hello Insomnicat and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 insomnicat

insomnicat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 05 January 2009 - 11:03 AM

Thanks Thunder, I thought I'd never get a response back on the 8th page XD My computer still seems to be running normally.

Combofix Log:
ComboFix 09-01-05.01 - Alison 2009-01-05 10:49:10.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2045.1593 [GMT -5:00]
Running from: c:\documents and settings\Alison\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: CA Anti-Virus *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\wiaserviv.log

.
(((((((((((((((((((((((((   Files Created from 2008-12-05 to 2009-01-05  )))))))))))))))))))))))))))))))
.

2008-12-31 23:13 . 2008-12-31 23:13	<DIR>	d--------	C:\VundoFix Backups
2008-12-31 22:12 . 2008-12-31 22:12	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2008-12-31 22:12 . 2008-12-31 22:12	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 22:12 . 2008-12-31 22:12	<DIR>	d--------	c:\documents and settings\Alison\Application Data\Malwarebytes
2008-12-31 22:12 . 2008-12-03 19:52	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 22:12 . 2008-12-03 19:52	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-12-31 21:18 . 2009-01-03 00:19	<DIR>	d--h-----	C:\$AVG8.VAULT$
2008-12-31 13:54 . 2008-12-31 13:54	76,040	--a------	c:\windows\system32\drivers\avgtdix.sys
2008-12-31 13:54 . 2008-12-31 13:54	10,520	--a------	c:\windows\system32\avgrsstx.dll
2008-12-31 13:53 . 2009-01-02 23:39	<DIR>	d--------	c:\windows\system32\drivers\Avg
2008-12-31 13:53 . 2008-12-31 13:53	<DIR>	d--------	c:\program files\AVG
2008-12-31 13:53 . 2008-12-31 13:53	<DIR>	d--------	c:\documents and settings\All Users\Application Data\avg8
2008-12-31 13:53 . 2008-12-31 13:53	97,928	--a------	c:\windows\system32\drivers\avgldx86.sys
2008-12-20 19:15 . 2008-12-20 19:15	<DIR>	d--------	c:\program files\Lavasoft
2008-12-20 19:15 . 2008-12-20 20:44	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-20 14:12 . 2008-12-20 14:12	<DIR>	d--------	c:\documents and settings\Alison.SYSTEMAX\Application Data\Ahead
2008-12-20 14:10 . 2008-12-20 14:10	<DIR>	d--------	c:\program files\Nero
2008-12-20 14:10 . 2008-12-20 14:11	<DIR>	d--------	c:\program files\Common Files\Ahead
2008-12-20 13:59 . 2008-12-20 13:59	<DIR>	d--------	c:\documents and settings\Alison.SYSTEMAX
2008-12-20 13:56 . 2008-12-20 13:56	<DIR>	d--hs----	c:\documents and settings\LocalService.NT AUTHORITY
2008-12-20 13:55 . 2008-12-20 13:55	<DIR>	d--hs----	c:\documents and settings\NetworkService.NT AUTHORITY
2008-12-20 13:51 . 2008-12-20 14:09	<DIR>	d--hs----	c:\documents and settings\All Users.WINDOWS.0\DRM
2008-12-20 08:39 . 2008-12-20 13:49	<DIR>	dr-------	c:\documents and settings\All Users.WINDOWS.0\Documents
2008-12-20 08:38 . 2008-12-20 13:59	<DIR>	d--h-----	c:\documents and settings\Default User.WINDOWS.0
2008-12-20 08:38 . 2008-12-20 13:51	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS.0
2008-12-20 08:33 . 2008-12-20 21:20	<DIR>	d--------	C:\WINDOWS.0
2008-12-08 13:56 . 2008-12-25 00:08	54,156	--ah-----	c:\windows\QTFont.qfn
2008-12-08 13:56 . 2008-12-08 13:56	1,409	--a------	c:\windows\QTFont.for

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 19:50	---------	d-----w	c:\program files\World of Warcraft
2008-12-28 04:21	---------	d-----w	c:\program files\Trillian
2008-12-21 02:28	---------	d-----w	c:\program files\Diablo II
2008-12-20 19:15	---------	d-----w	c:\program files\CA
2008-12-20 19:04	---------	d-----w	c:\program files\Intel Audio Studio
2008-12-20 16:21	---------	d-----w	c:\documents and settings\Alison\Application Data\Roxio
2008-12-12 17:27	3,067,392	----a-w	c:\windows\system32\dllcache\mshtml.dll
2008-11-26 21:12	21,840	----atw	c:\windows\system32\SIntfNT.dll
2008-11-26 21:12	17,212	----atw	c:\windows\system32\SIntf32.dll
2008-11-26 21:12	12,067	----atw	c:\windows\system32\SIntf16.dll
2008-11-26 20:48	94,208	----a-w	c:\windows\DIIUnin.exe
2008-11-26 20:48	2,829	----a-w	c:\windows\DIIUnin.pif
2008-11-24 05:51	---------	d-----w	c:\documents and settings\Alison\Application Data\Apple Computer
2008-11-24 05:49	---------	d-----w	c:\program files\QuickTime
2008-11-24 05:49	---------	d-----w	c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-16 01:48	---------	d-----w	c:\documents and settings\Alison\Application Data\U3
2008-11-13 18:13	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 03:42	---------	d-----w	c:\program files\Spybot - Search & Destroy
2008-10-24 11:10	453,632	----a-w	c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01	283,648	----a-w	c:\windows\system32\gdi32.dll
2008-10-23 13:01	283,648	----a-w	c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13	202,776	----a-w	c:\windows\system32\wuweb.dll
2008-10-16 19:13	202,776	----a-w	c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13	1,809,944	----a-w	c:\windows\system32\wuaueng.dll
2008-10-16 19:13	1,809,944	----a-w	c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12	561,688	----a-w	c:\windows\system32\wuapi.dll
2008-10-16 19:12	561,688	----a-w	c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12	323,608	----a-w	c:\windows\system32\wucltui.dll
2008-10-16 19:12	323,608	----a-w	c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09	92,696	----a-w	c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09	92,696	----a-w	c:\windows\system32\cdm.dll
2008-10-16 19:09	51,224	----a-w	c:\windows\system32\wuauclt.exe
2008-10-16 19:09	51,224	----a-w	c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09	43,544	----a-w	c:\windows\system32\wups2.dll
2008-10-16 19:08	34,328	----a-w	c:\windows\system32\wups.dll
2008-10-16 19:08	34,328	----a-w	c:\windows\system32\dllcache\wups.dll
2008-10-15 16:57	332,800	----a-w	c:\windows\system32\dllcache\netapi32.dll
2008-10-15 14:18	18,432	----a-w	c:\windows\system32\dllcache\iedw.exe
2008-09-11 01:15	1,283,912	----a-w	c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
2008-11-13 21:17	67,696	----a-w	c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 21:17	54,376	----a-w	c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 21:17	34,952	----a-w	c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 21:17	46,720	----a-w	c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 21:17	172,144	----a-w	c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-25 8527872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-25 81920]
"cctray"="c:\program files\CA\AV2007\cctray\cctray.exe" [2008-09-09 177416]
"CAVRID"="c:\program files\CA\AV2007\CA Anti-Virus\CAVRID.exe" [2007-08-07 230928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-31 1261336]
"nwiz"="nwiz.exe" [2007-10-25 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--a------ 2006-09-21 10:36 9138176 c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [1980-01-01 70784]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-31 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-31 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-31 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-31 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da8920a3-ad46-11dd-a5da-0019d1e25c2a}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\wgywus3d.default\
FF - component: c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\wgywus3d.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 10:49:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-01-05 10:50:14
ComboFix-quarantined-files.txt  2009-01-05 15:50:11

Pre-Run: 462,703,493,120 bytes free
Post-Run: 462,758,866,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

173	--- E O F ---	2008-12-28 07:02:08


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 PM

Posted 05 January 2009 - 03:53 PM

Hello Insomnicat,

Your logs look fine now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 insomnicat

insomnicat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 January 2009 - 01:16 AM

Awesome, thanks. :thumbsup: I have a question, now when my computer boots up, when I get the "choose the OS you want to load" screen, I'm getting a recovery console option in addition to 2 xp options (I'll explain in a sec). The screen disappears too fast for me to choose the last one, the one I want to load (unless I'm fast), can that be changed? Or can the order the oses show up be changed so the right one loads without me having to choose?

The reason why I have 2 xp's is because when I first got this trojan, I tried to just do a restore with the cd my manufacturer gave me. I've only been using the computer for a few months and don't have much stuff on here, so I thought it'd just be easier than trying to clean the computer. What I didn't realize was that the cd did a fresh install of xp without any drivers for my graphics card or configuration like my original install, and it didn't overwrite the original (which I'm glad for now that I see what it did). But now it's just annoying to have to choose the right one to load up. Is it easy to change this? Or should I just ignore it as a minor annoyance? Or try to get someone in person to fix this for me?

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 PM

Posted 06 January 2009 - 08:39 AM

Hello Insomnicat,

I figured you ventured something like that when I saw this :
2008-12-20 08:33 . 2008-12-20 21:20 <DIR> d-------- C:\WINDOWS.0

Trying a (repair) install without naming the OS folder properly (or deleting the existing partitions),
leads to a parallel installation. :thumbsup:

As for those boot options, that's easy to fix :
From ComboFix :

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

In fact that's the content of your boot.ini file.
It is a plain text file that is kept in the system root, so it is usually C:\boot.ini. Because it is an essential system file, the attributes are set to hidden, system, read-only to protect it. That means that it will not appear in the file lists in My Computer or Windows Explorer unless the default Windows settings are changed to show hidden files.
You may even have to remove the read-only attribute.

Now all you have to do is open it in Notepad and :
1. increase the timeout to say 5 or 8 seconds (timeout=5) to make the boot options longer visible, or
2. change the default setting to default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS (remove the .0) to have the original version load if nothing is done.
Save and close boot.ini, and your set to go. :)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users