Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 gallileo

gallileo

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 12 January 2009 - 12:43 AM

Hi,

My computer got infected. I started to get popup windows out of blue. I was running current version of McAffee antivirus and firewire software plus hardware firewire. I use firefox browser (I don't use Internet explorer).

I run Malwarebyte's Antimalware and it detected (and quarantened) Trojan.Vundo, Trojan.Vundo.H, Trojan.Dropper, Troyan.Downloader, Malware.Trace (total of 27 items were quaranteened)

I am still having problems. The computer is sometimes very unresponsive. McAffee antivirus and firewall get turned off after some time. I don't know if it is important but if I scan with McAffee it usually stops at file winnt\system32\dinput8.dll and does not continue.

I also run Spybot and SuperAntiSpyware but they didn't manage to clean the computer.

Here is DDS log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 20:52:45.19 on Sun 01/11/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1535.1190 [GMT -8:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\quartus\bin\JTAGServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\WINNT\system32\viewport.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe
C:\Documents and Settings\Administrator.SPLIT\Desktop\dds.scr
C:\WINNT\System32\WBEM\WinMgmt.exe

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = <local>
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0 ce\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0 ce\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0 ce\acrobat\AcroIEFavClient.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ATI Launchpad]
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [AtiPTA] atiptaxx.exe
mRun: [HydarVisionDesktopManager] desk95.exe
mRun: [HydarVisionViewport] viewport.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [dla] c:\winnt\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
dRun: [Symantec Network Driver Update Warning] c:\progra~1\symantec\liveup~1\SNDWarn.EXE
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0 ce\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: wshpfb.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.spl\applic~1\mozilla\firefox\profiles\spdrdlfb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 Pnp680;SiI 680 ATA Controller;c:\winnt\system32\drivers\PnP680.sys [2008-4-26 66736]
R1 CINEMSUP;Cinemsup;c:\winnt\system32\drivers\cinemsup.sys [2003-12-19 6656]
R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2008-12-20 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-20 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winnt\system32\drivers\mfeavfk.sys [2008-12-20 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\winnt\system32\drivers\mfebopk.sys [2008-12-20 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winnt\system32\drivers\mfesmfk.sys [2008-12-20 40488]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\winnt\system32\drivers\ntspppoe.sys [2002-2-5 159680]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2006-6-25 24784]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\winnt\system32\drivers\ousb2hub.sys [2006-6-25 56960]
R4 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-6-5 3744]
R4 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-6-5 3904]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-22 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-20 358736]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-20 144704]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\winnt\system32\drivers\ousbehci.sys [2006-6-25 45696]
R4 PPPoEService;PPPoE Service;c:\progra~1\effici~1\entern~1\app\pppoeservice.exe [2002-2-5 49152]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-9-20 1247600]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2005-10-28 79472]
S3 DbgProxy;Visual Studio Debugger Proxy Service;c:\program files\microsoft visual studio .net 2003\common7\packages\debugger\dbgproxy.exe [2003-3-18 53248]
S3 mferkdk;McAfee Inc. mferkdk;c:\winnt\system32\drivers\mferkdk.sys [2008-12-20 34152]
S3 NTSTAP1;NTSTAP1;c:\progra~1\effici~1\entern~1\app\NTSTAP1.SYS [2002-2-5 170240]
S3 RAWESR;RAWESR;c:\progra~1\effici~1\entern~1\app\RAWESR.SYS [2002-2-5 9688]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 STVqx3;Intel Play QX3 Microscope;c:\winnt\system32\drivers\STVqx3.SYS [2006-7-8 131776]
S3 TAPBIND;TAPBIND;c:\progra~1\effici~1\entern~1\app\TAPBIND1.SYS [2002-2-5 17920]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-9-30 49776]

=============== Created Last 30 ================

2009-01-11 20:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_7ac.dat
2009-01-11 20:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a8.dat
2009-01-09 23:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_53c.dat
2009-01-09 21:46 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4f4.dat
2009-01-07 22:41 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-01-07 22:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 22:40 <DIR> --d----- c:\docume~1\admini~1.spl\applic~1\SUPERAntiSpyware.com
2009-01-07 21:12 16,384 a------t c:\winnt\system32\Perflib_Perfdata_798.dat
2009-01-06 07:00 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6dc.dat
2009-01-06 00:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_77c.dat
2009-01-05 19:55 2,858 a------- c:\winnt\system32\tmp.reg
2009-01-04 12:00 <DIR> --d----- c:\docume~1\admini~1.spl\applic~1\Malwarebytes
2009-01-04 12:00 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-01-04 12:00 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-04 12:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 12:00 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-01-04 00:56 16,384 a------t c:\winnt\system32\Perflib_Perfdata_528.dat
2009-01-03 22:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_534.dat
2009-01-02 08:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_510.dat
2008-12-21 13:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_280.dat
2008-12-20 19:32 16,384 a------t c:\winnt\system32\Perflib_Perfdata_344.dat
2008-12-20 19:31 5,831 a------- c:\winnt\system32\Config.MPF
2008-12-20 19:30 <DIR> --d----- c:\program files\SiteAdvisor
2008-12-20 19:24 40,488 a------- c:\winnt\system32\drivers\mfesmfk.sys
2008-12-20 19:24 35,240 a------- c:\winnt\system32\drivers\mfebopk.sys
2008-12-20 19:24 79,240 a------- c:\winnt\system32\drivers\mfeavfk.sys
2008-12-20 19:24 120,136 a------- c:\winnt\system32\drivers\Mpfp.sys
2008-12-20 19:23 <DIR> --d----- c:\program files\common files\McAfee
2008-12-20 19:23 <DIR> --d----- c:\program files\McAfee.com
2008-12-20 19:23 <DIR> --d----- c:\program files\McAfee
2008-12-20 19:22 34,152 a------- c:\winnt\system32\drivers\mferkdk.sys
2008-12-20 19:22 207,656 a------- c:\winnt\system32\drivers\mfehidk.sys

==================== Find3M ====================

2008-10-22 21:27 237,840 a------- c:\winnt\system32\GDI32.DLL
2008-10-15 13:53 575,488 a------- c:\winnt\system32\WININET.DLL
2003-09-30 21:16 21,952 ----h--- c:\program files\folder.htt
2003-09-30 21:16 271 ----h--- c:\program files\desktop.ini
2001-07-17 03:08 65,536 a------- c:\winnt\inf\copyinf.exe
1999-12-07 04:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 20:54:44.84 ===============




Any suggestions how should I proceed?

Attached Files



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:14 AM

Posted 24 January 2009 - 11:39 PM

Hello, gallileo
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 gallileo

gallileo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 25 January 2009 - 02:24 PM

Hi Billy,

Please find attached log file of combofix. What is next step?

Thanks for the help,
Gallileo

ComboFix 09-01-21.04 - Administrator 01/25/2009 10:57:21.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1535.1200 [GMT -8:00]
Running from: c:\documents and settings\Administrator.SPLIT\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\IE4 Error Log.txt
c:\winnt\system32\config\SAM.SAV
c:\winnt\system32\tmp.reg
c:\winnt\Web\default.htt
c:\winnt\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 02:02 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-10 07:15 --------- d-----w c:\program files\McAfee
2009-01-08 06:41 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-08 06:41 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\SUPERAntiSpyware.com
2009-01-08 06:40 --------- d-----w c:\documents and settings\Administrator.SPLIT\Application Data\SUPERAntiSpyware.com
2009-01-08 06:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 08:28 --------- d-----w c:\documents and settings\Default User.WINNT\Application Data\SACore
2009-01-05 02:38 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-05 02:38 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-01-04 20:00 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes
2009-01-04 20:00 --------- d-----w c:\documents and settings\Administrator.SPLIT\Application Data\Malwarebytes
2009-01-04 07:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-04 07:08 --------- d---a-w c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2008-12-21 03:41 --------- d-----w c:\program files\SiteAdvisor
2008-12-21 03:31 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\McAfee
2008-12-21 03:30 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\SiteAdvisor
2008-12-21 03:24 --------- d-----w c:\program files\Common Files\McAfee
2008-12-21 03:23 --------- d-----w c:\program files\McAfee.com
2008-12-21 03:02 --------- d---a-w c:\program files\Common Files\Symantec Shared
2008-12-21 02:39 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\Symantec
2008-12-21 01:22 --------- d---a-w c:\program files\Symantec
2008-11-30 22:59 --------- d-----w c:\documents and settings\Administrator.SPLIT\Application Data\Symantec
2008-11-30 22:40 --------- d-----w c:\program files\Common Files\Smith Micro Shared
2003-10-01 05:16 271 ---h--w c:\program files\desktop.ini
2003-10-01 05:16 21,952 ---h--w c:\program files\folder.htt
2001-07-17 11:08 65,536 ----a-w c:\winnt\inf\copyinf.exe
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2003-07-29 07:15 307,200 ----a-w c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 07:15 303,104 ----a-w c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 07:15 311,296 ----a-w c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 07:15 299,008 ----a-w c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 07:15 299,008 ----a-w c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 07:15 290,816 ----a-w c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 07:15 122,880 ----a-w c:\program files\internet explorer\plugins\DjVuCntl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/06 03:45p 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/03 06:44p 65536]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/04 08:24p 32768]
"dla"="c:\winnt\system32\dla\tfswctrl.exe" [02/25/05 04:33a 127037]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/04 03:50p 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/04 03:50p 81920]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [07/09/01 10:50a 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [05/14/07 02:22p 35328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [07/11/08 04:48p 641208]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [06/13/08 02:59a 1176808]
"Synchronization Manager"="mobsync.exe" [06/19/03 11:05a 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [01/17/01 04:28p 192512 c:\winnt\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="desk95.exe" [02/06/01 11:54a 659456 c:\winnt\system32\Desk95.exe]
"HydarVisionViewport"="viewport.exe" [02/06/01 11:50a 479232 c:\winnt\system32\ViewPort.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [07/13/04 03:19p 95352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 11:05a 186640]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe [2003-07-17 217180]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [05/13/08 09:13a 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
12/22/08 11:05a 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wshpfb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vvlcodec.dll
"VIDC.UYVY"= vvlcodec.dll
"aux"= mmdrv.dll
"VIDC.YUY2"= vvlcodec.dll
"SENTINEL"= snti386.dll
"vidc.yv12"= vvlcodec.dll
"msvideo3"= STVqx3tg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CorelDRAW Graphics Suite 11b"=c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120704 serial=DR12WUX-0625106-WVF lang=EN
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

R0 Pnp680;SiI 680 ATA Controller;c:\winnt\system32\drivers\PnP680.sys [2008-04-26 66736]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\winnt\system32\drivers\ntspppoe.sys [2002-02-05 159680]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2006-06-25 24784]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\winnt\system32\drivers\ousb2hub.sys [2006-06-25 56960]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2005-06-05 3744]
R4 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2005-06-05 3904]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-22 206096]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\winnt\system32\drivers\ousbehci.sys [2006-06-25 45696]
R4 PPPoEService;PPPoE Service;c:\progra~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe [2002-02-05 49152]
S3 DbgProxy;Visual Studio Debugger Proxy Service;c:\program files\Microsoft Visual Studio .NET 2003\Common7\Packages\Debugger\dbgproxy.exe [2003-03-18 53248]
S3 NTSTAP1;NTSTAP1;c:\progra~1\EFFICI~1\ENTERN~1\app\NTSTAP1.SYS [2002-02-05 170240]
S3 RAWESR;RAWESR;c:\progra~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS [2002-02-05 9688]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 STVqx3;Intel Play QX3 Microscope;c:\winnt\system32\drivers\STVqx3.SYS [2006-07-08 131776]
S3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS [2002-02-05 17920]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-09-30 49776]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBACKMONITOR
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\winnt\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [07/09/08 06:10p]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)
HKU-Default-Run-Symantec Network Driver Update Warning - c:\progra~1\Symantec\LIVEUP~1\SNDWarn.EXE
HKU-Default-Run-Norton SystemWorks - c:\program files\Norton SystemWorks\cfgwiz.exe
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 11:02:26
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 01/25/2009 11:07:49
ComboFix-quarantined-files.txt 2009-01-25 19:06:30

Pre-Run: 5,218,275,328 bytes free
Post-Run: 5,276,434,432 bytes free

171 --- E O F --- 2009-01-03 18:38:28

Edited by Billy O'Neal, 25 January 2009 - 04:20 PM.


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:14 AM

Posted 25 January 2009 - 04:26 PM

Hello, gallileo
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/194505/trojanvundo-infection/
    suspect::[54]
    %SystemRoot%\system32\msafd.dll
    file::
    c:\program files\internet explorer\plugins\djvu0407.dll
    c:\program files\internet explorer\plugins\djvu0409.dll
    c:\program files\internet explorer\plugins\djvu040c.dll
    c:\program files\internet explorer\plugins\djvu0411.dll
    c:\program files\internet explorer\plugins\djvu0412.dll
    c:\program files\internet explorer\plugins\djvu0804.dll
    c:\program files\internet explorer\plugins\DjVuCntl.dll
    registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
    driver::
    mferkdk.sys
    mfehidk.sys
    dirlook::
    c:\progra~1\CheckIt
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 gallileo

gallileo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 26 January 2009 - 02:16 AM

Hi Billy,

Thanks for the fast reply. Please find attached log of the new scan.

I didn't run ESET yet because I have a concern about running it online. Namely my firewall gets automatically shut down by virus (or whatever it is) so I am afraid if I run ESET online my computer will become vulnerable to all sorts of new attacks. (I am not online anymore with the infected computer, I am writing this form another computer). What is your suggestion?

One more thing, for ESET do I need to disable my McAffee virus protection.

Regards,
Gallileo

Attached Files

  • Attached File  log1.txt   27.43KB   1 downloads


#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:14 AM

Posted 26 January 2009 - 03:58 PM

I believe that the infection is, at this point, disabled. I want to run ESET simply to ensure I have not missed anything :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 gallileo

gallileo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 27 January 2009 - 01:04 AM

Hi Billy,

Thanks for the help. I will run ESET tomorrow. I am planning to leave computer one day on before connecting it back to the internet just to be sure that firewall is not being turned off again and then I'll run ESET.

One question: After checking that everything is fine do I need to reinstall McAffee software? I am wondering if the trojan (or whatever it was) made some permanent damage to it. I was unable to find any option to check the "health" i.e. integrity of the McAffee itself.

One more thing: Do I need to disable McAffee (only antivirus not firewall) while runnig ESET?

Neven

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:14 AM

Posted 27 January 2009 - 07:44 PM

Reinstalling McAfee should not be needed, but of course no harm can come of it.

It need not be disabled while running ESET.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:14 AM

Posted 01 February 2009 - 03:13 PM

Hello, gallileo
Are you still here?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:14 AM

Posted 03 February 2009 - 08:23 PM

Hello, gallileo
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users