Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo threats in SAV won't go away


  • This topic is locked This topic is locked
1 reply to this topic

#1 ACN-Security-Man

ACN-Security-Man

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta Georgia
  • Local time:04:50 PM

Posted 15 January 2009 - 05:51 AM

I am working on a customer's work laptop and has ben receiving SAV threats fo some time now and ignoring it. I have done some diagnostics and repair based on the topics I have read in her but would like to be sure this thing is gone. Here is a current DDS log. Any help would be apprecited.

DDS (Ver_09-01-07.01) - NTFSx86
Run by mpdwzjx at 5:44:29.81 on 2009-01-15
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1427 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
D:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Connected\CBSysTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Documents and Settings\mpdwzjx\Desktop\SPyware Stuff\DDS\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_16\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Universal Installer] "c:\program files\comcastui\universal installer\uinstaller.exe" /fromrun /starthidden
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_16\bin\jusched.exe"
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\program files\connected\CBSysTray.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Edit with &XML Spy - c:\program files\altova\xmlspy\spy.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: accenture.com
Trusted Zone: accenture.com\mylearning
Trusted Zone: bls.com
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\mpdwzjx\applic~1\mozilla\firefox\profiles\5tl7re02.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 2

============= SERVICES / DRIVERS ===============

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2007-2-6 238496]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-5-15 193840]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-6-4 9049]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-13 99376]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-5-8 36608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\naveng.sys [2009-1-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\navex15.sys [2009-1-14 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R4 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2007-2-6 146720]
R4 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2007-2-6 109856]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R4 WDHLLKNL;WDHLLKNL;c:\windows\system32\drivers\WDHLLKNL.SYS [2004-8-4 4784]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2004-8-4 18424]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2004-8-4 17828]
S4 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2002-10-11 115008]

=============== Created Last 30 ================

2009-01-15 05:28 388,608 -------- c:\windows\system32\CF21333.exe
2009-01-15 05:10 <DIR> a-dshr-- C:\cmdcons
2009-01-15 03:07 250 a------- c:\windows\gmer.ini
2009-01-13 20:56 <DIR> --d----- d:\docume~1\mpdwzjx\applic~1\Malwarebytes
2009-01-13 20:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 20:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 20:56 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-13 20:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 20:36 <DIR> --d----- c:\program files\trend micro
2009-01-13 18:22 2,713 ---sh--- c:\windows\system32\metibahe.exe
2009-01-08 13:00 <DIR> --d----- C:\POINTSEC REGLIST
2009-01-06 20:26 <DIR> --d----- c:\program files\wincmp1
2009-01-05 09:46 2,713 ---sh--- c:\windows\system32\tuweseje.exe
2008-12-28 19:18 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-28 19:18 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2008-12-28 19:18 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2008-12-28 19:18 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-28 19:18 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-28 19:18 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-28 19:18 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-28 19:18 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-28 19:18 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-12-21 19:45 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:51 284,160 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:51 284,160 a------- c:\windows\system32\dllcache\gdi32.dll
2007-11-02 12:11 45,056 a------- c:\program files\common files\Period20.dll
2007-11-02 12:11 24,576 a------- c:\program files\common files\Artes32X.dll
2007-11-02 12:11 24,576 a------- c:\program files\common files\ACTripsLog.dll
2006-09-12 09:21 319 a------- c:\program files\VersionMarker.dat
0000-00-00 00:00 5,120 a--sh--- c:\windows\system32\tenugizu.dll

============= FINISH: 5:44:48.12 ===============

Edited by ACN-Security-Man, 15 January 2009 - 06:36 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:50 PM

Posted 15 January 2009 - 05:14 PM

Hello ACN-Security-Man,

We offer our services for free to home/personal computer users. We're not here to make money for you, or to do your job for you for free.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users