Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Vundo infection


  • This topic is locked This topic is locked
1 reply to this topic

#1 compclock

compclock

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 09 April 2009 - 10:14 AM

Hello
I recently had a Vundo vrus infection on my sons pc Running Win xp pro. I believe I removed it using AVG and Spybot. I ran combofix (using all precautions). Can anyone take a look at th resulting log to confirm the pc is free from the infection?

Thank you in advance.


ComboFix 09-04-04.01 - Andrew 2009-04-09 10:36:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.250 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
c:\windows\system32\desogole.dll.vir
c:\windows\system32\huguhalu.dll.vir
c:\windows\system32\usayibed.ini

.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-08 19:41 . 2009-04-09 10:02 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-04-08 19:41 . 2009-04-08 19:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-08 19:41 . 2009-04-08 19:41 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-08 19:41 . 2009-04-08 19:41 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-08 19:41 . 2009-04-08 19:41 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-08 09:06 . 2009-04-08 09:06 <DIR> d-------- C:\VundoFix Backups
2009-04-07 23:12 . 2009-04-08 09:04 <DIR> d-------- C:\Downloads
2009-04-07 22:41 . 2009-04-08 10:59 <DIR> d-------- c:\windows\SxsCaPendDel
2009-04-07 21:55 . 2009-04-07 21:55 552 --a------ c:\windows\system32\d3d8caps.dat
2009-04-07 21:32 . 2009-04-09 10:03 1,420 --a------ c:\windows\Wnuvexuyodegexin.dat
2009-04-07 21:32 . 2009-04-09 10:27 16 --a------ c:\windows\Ucagowubucud.bin
2009-04-07 18:05 . 2009-04-07 18:05 27,136 --a------ C:\jurj.exe
2009-04-03 22:12 . 2009-04-05 22:19 43,520 --a------ c:\windows\system32\CmdLineExt03.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 14:57 --------- d-----w c:\program files\Railand
2009-04-08 02:37 --------- d-----w c:\program files\BrainBombers
2009-04-08 02:37 --------- d-----w c:\program files\ArcRail 3.0
2009-03-28 17:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 22:41 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-23 23:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 18:00 --------- d-----w c:\program files\googolChooChoo3D
2008-08-22 22:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Fxelayewiduc"="c:\windows\uxesigegobe.dll" [2008-04-13 158208]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-05-22 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 19:41 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli lpinms.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-04-08 19:41 1932568 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-03 17:29 77824 c:\program files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Railroad Tycoon 3\\RT3.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Endangered Species Trial Version\\zt.exe"=
"c:\\Program Files\\Atari\\Locomotion\\Loco.exe"=
"c:\\Program Files\\Ubi Soft\\Chessmaster 9000\\Chessmaster.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-08 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-08 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-08 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2007-03-24 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2007-03-24 545088]
S3 efipsk;efipsk;\??\c:\docume~1\Andrew\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\Andrew\LOCALS~1\Temp\efipsk.sys [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2007-03-24 19232]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
- - - - ORPHANS REMOVED - - - -

BHO-{73d0647e-c9e6-477a-ac37-ec7cb3ad33aa} - c:\windows\system32\puvutabo.dll
MSConfigStartUp-DSS - c:\windows\BBSTORE\DSS\DSSAGENT.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 10:40:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(572)
c:\windows\lpinms.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-09 10:44:57 - machine was rebooted [Andrew]
ComboFix-quarantined-files.txt 2009-04-09 14:44:54

Pre-Run: 46,787,239,936 bytes free
Post-Run: 46,754,979,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

139 --- E O F --- 2009-03-15 03:34:15

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 PM

Posted 09 April 2009 - 01:30 PM

Hello compclock

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users