Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Vundo


  • This topic is locked This topic is locked
131 replies to this topic

#1 GSBJoe

GSBJoe

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 20 November 2009 - 01:46 PM

The first sign that something was wrong was when I clicked on a link provided by a friend regarding the Miss California sex tape scandal (I know...). A bunch of adds popped up, my hard drive started buzzing and I immediately hit ctrl-alt-del to shut down the window (I didn't want to touch the window, and right clicking on the bottom task bar was futile). I got a message saying "Task manager has been disabled by the administrator".

I shut the computer off manually and when I started up again, some icons were missing from the bottom right of the task bar. I opened Norton Corporate and my computer claimed to be "installing" and "searching" for Norton, however the Norton program opened up just fine in the background. A completed scan revealed "Trojan Vundo", which I attempted to learn more about by clicking on, however the virus has disabled some websites, Symantec included (I learned that the task manager and website problem is common with this virus when I went to wikipedia). I used another computer and printed out instructions on removal at the Symantec website. I went through all the steps, including manual, and it didn't work. I then looked for other tools online and came across this site. I went through all the steps utilizing the rkill, MBAM, vundofix, & VirtumundoBegone programs. Afterwards, I stopped getting messages that random .dll programs could not be found at start up (ex. "giweweno"), however I cannot navigate to some websites (Google searches are useless) and I have no access to MBAM, Superantispyware, and I continue to receive messages that Norton Corporate is missing some pieces (even though it opens in the background). I was able to manually fix the task manager problem, but that's it. I then tried Combofix. As you will see, I had to rename it (aaah111.exe) to get it on my computer, because I couldn't get through the installation process until I changed the name. I ran that and have a log saved if you need it. I have followed the tutorial for posting and I am including the other logs here as instructed:



DDS (Ver_09-10-26.01) - NTFSx86
Run by Joe at 13:06:10.39 on Fri 11/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1956 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Kxuyuqim] "c:\documents and settings\joe\application data\?dobe\n?tepad.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\corece~1.lnk - c:\program files\msi\core center\CoreCenter.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: principal.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.clarkcolor.com/ClarkActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38184.9602662037
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} - hxxp://65.246.89.22/JWALKC10/JWalkXS/ais40.cab
TCP: {A119825C-0782-4C8E-A037-BAADCDC4292D} = 77.74.48.113
TCP: {CF51FC7F-C0A7-4DEA-98AE-425C977D5921} = 77.74.48.113
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-5-9 16384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-5-9 105472]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [2009-11-19 102448]
R3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [2006-5-9 15488]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2006-5-9 15232]
S3 EraserUtilDrv10920;EraserUtilDrv10920;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10920.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10920.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2009-11-19 20:06:53 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-19 20:06:53 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-19 19:55:02 0 d-sha-r- C:\cmdcons
2009-11-19 19:53:36 77312 ----a-w- c:\windows\MBR.exe
2009-11-19 19:53:35 98816 ----a-w- c:\windows\sed.exe
2009-11-19 19:53:35 260608 ----a-w- c:\windows\PEV.exe
2009-11-19 19:53:35 161792 ----a-w- c:\windows\SWREG.exe
2009-11-19 19:53:23 0 d-----w- C:\aaah111
2009-11-19 19:38:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 18:54:39 0 d-----w- C:\VundoFix Backups
2009-11-19 01:40:57 0 d-----w- c:\docume~1\joe\applic~1\Malwarebytes
2009-11-19 01:40:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-19 00:22:58 1162 --sha-r- c:\documents and settings\joe\ntuser.pol
2009-11-19 00:20:55 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-17 04:55:33 41632 ----a-w- C:\vuou.exe
2009-11-17 04:55:31 32256 ----a-w- C:\aruxss.exe
2009-11-17 04:55:30 6656 ----a-w- C:\excbx.exe
2009-11-17 04:55:30 37888 ----a-w- C:\kewwr.exe
2009-11-17 04:55:29 67388 ----a-w- c:\windows\system32\winupdate86.exe.delme1932

==================== Find3M ====================

2009-10-09 19:36:12 4056 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-08 17:38:43 18983 ----a-w- c:\docume~1\joe\applic~1\ucica.bin
2009-10-08 17:38:43 18045 ----a-w- c:\program files\common files\xipafo.pif
2009-10-08 17:38:43 17832 ----a-w- c:\program files\common files\nalekuf.pif
2009-10-08 17:38:43 13890 ----a-w- c:\docume~1\alluse~1\applic~1\bobopovix.com
2009-10-08 17:38:43 11745 ----a-w- c:\program files\common files\gude.lib
2009-10-08 17:38:43 11034 ----a-w- c:\docume~1\alluse~1\applic~1\ituvuzeso.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 04:56:09 1208891 --sha-w- c:\windows\system32\kudebeze.exe

============= FINISH: 13:06:26.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 20 November 2009 - 06:20 PM

Hi, welcome to the BC Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:
  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.
I will be back to you shortly with instructions.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 GSBJoe

GSBJoe
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 21 November 2009 - 01:52 PM

Thanks!

I thought you should know that today, when I turned on my monitor, I saw that Norton autoprotect found three of these:

http://securityresponse.symantec.com/secur...-082718-3007-99

#4 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 23 November 2009 - 06:31 PM

GSBJoe,

Sorry for the delay.

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.


You got lucky this time though. Please post the contents of your Combofix log (located at C:\Combofix.txt).
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#5 GSBJoe

GSBJoe
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 23 November 2009 - 10:03 PM

I <i> have </i> been lucky so far I suppose, I won my football pool twice so far this year. Here is the combofix log:


ComboFix 09-11-19.02 - Joe 11/19/2009 14:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2137 [GMT -5:00]
Running from: c:\documents and settings\Joe\Desktop\aaah111.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\370.tmp
C:\376.tmp
C:\383.tmp
C:\38A.tmp
C:\38B.tmp
c:\documents and settings\All Users\Documents\ralyco.bat
c:\documents and settings\Joe\Application Data\iniasd.txt
c:\documents and settings\Joe\Application Data\jisihyjisi.inf
c:\documents and settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Joe\Cookies\ijatulajam.db
c:\documents and settings\Joe\Cookies\oluj.dl
c:\documents and settings\Joe\Cookies\poro.com
c:\documents and settings\Joe\Cookies\utapexuho.bin
c:\documents and settings\Joe\Local Settings\Temporary Internet Files\hekomexo.vbs
c:\documents and settings\Joe\Local Settings\Temporary Internet Files\ucypiv.inf
c:\documents and settings\Joe\Local Settings\Temporary Internet Files\yxywacawo.bat
c:\documents and settings\Joe\Local Settings\Temporary Internet Files\zeqoxy.scr
c:\documents and settings\Joe\My Documents\ZbThumbnail.info
c:\documents and settings\Joe\ntuser.dll
c:\documents and settings\Joe\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Joe\Start Menu\Programs\Startup\scandisk.lnk
C:\dvglbk.exe
c:\recycler\NPROTECT
c:\windows\calafeqe.scr
c:\windows\come.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\odadaji.scr
c:\windows\ovutekydyw.inf
c:\windows\system32\__c00BDAB0.exe
c:\windows\system32\anumerun.ini
c:\windows\system32\anumerun.ini2
c:\windows\system32\anumerun.tmp
c:\windows\system32\bidubiti.dll.tmp
c:\windows\system32\ctfmon .exe
c:\windows\system32\fizejuje.dll
c:\windows\system32\foriwiho.dll
c:\windows\system32\ganotida.dll
c:\windows\system32\gegupota.dll
c:\windows\system32\husowipe.dll
c:\windows\system32\itaweyey.ini
c:\windows\system32\kazuvuye.exe
c:\windows\system32\kejowigi.dll
c:\windows\system32\kufuyinu.dll
c:\windows\system32\lipoyiya.dll
c:\windows\system32\naliboye.dll
c:\windows\system32\nerocheck .exe
c:\windows\system32\oruvadaw.ini
c:\windows\system32\owufogar.ini
c:\windows\system32\qiru.bat
c:\windows\system32\reripaga.dll
c:\windows\system32\rundll32 .exe
c:\windows\system32\usolutas.ini
c:\windows\system32\utogozas.ini
c:\windows\system32\vetahadu.dll.tmp
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wezevuku.dll
c:\windows\system32\winhelper86.dll
c:\windows\Tasks\cckwpiyu.job
c:\windows\vsnpstd .exe
C:\wridiint.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 20:06 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-19 20:06 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-19 19:53 . 2009-11-19 19:55 -------- d-----w- C:\aaah111
2009-11-19 19:38 . 2009-11-19 19:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 18:54 . 2009-11-19 18:54 -------- d-----w- C:\VundoFix Backups
2009-11-19 01:40 . 2009-11-19 01:40 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2009-11-19 01:40 . 2009-11-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-19 00:20 . 2009-11-19 00:20 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-18 03:36 . 2009-11-18 03:36 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-18 02:24 . 2009-11-18 02:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 02:24 . 2009-11-18 02:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-17 04:55 . 2009-11-17 04:55 41632 ----a-w- C:\vuou.exe
2009-11-17 04:55 . 2009-11-17 04:55 32256 ----a-w- C:\aruxss.exe
2009-11-17 04:55 . 2009-11-17 04:55 37888 ----a-w- C:\kewwr.exe
2009-11-17 04:55 . 2009-11-17 04:55 6656 ----a-w- C:\excbx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 20:10 . 2007-03-19 23:33 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-18 04:35 . 2005-02-08 07:54 -------- d-----w- c:\program files\QuickTime
2009-11-18 04:33 . 2009-01-12 01:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-18 04:33 . 2004-07-17 14:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-18 03:47 . 2009-03-13 21:44 117760 ----a-w- c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-18 03:08 . 2007-03-10 19:34 -------- d-----w- c:\documents and settings\Joe\Application Data\ZoomBrowser EX
2009-11-18 02:58 . 2007-03-10 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-11-16 03:12 . 2007-01-16 02:41 -------- d-----w- c:\documents and settings\Joe\Application Data\uTorrent
2009-10-09 20:25 . 2009-10-09 20:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-09 19:48 . 2009-10-09 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-09 19:45 . 2009-10-09 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-09 19:36 . 2009-10-09 19:31 4056 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-09 04:44 . 2009-10-09 04:44 -------- d-----w- c:\program files\Common Files\iS3
2009-10-09 03:43 . 2004-11-22 19:29 -------- d-----w- c:\documents and settings\Joe\Application Data\AdobeUM
2009-10-08 17:38 . 2009-10-08 17:38 18983 ----a-w- c:\documents and settings\Joe\Application Data\ucica.bin
2009-10-08 17:38 . 2009-10-08 17:38 18045 ----a-w- c:\program files\Common Files\xipafo.pif
2009-10-08 17:38 . 2009-10-08 17:38 17832 ----a-w- c:\program files\Common Files\nalekuf.pif
2009-10-08 17:38 . 2009-10-08 17:38 14526 ----a-w- c:\documents and settings\Joe\Local Settings\Application Data\milu.dat
2009-10-08 17:38 . 2009-10-08 17:38 13890 ----a-w- c:\documents and settings\All Users\Application Data\bobopovix.com
2009-10-08 17:38 . 2009-10-08 17:38 13890 ----a-w- c:\documents and settings\All Users\Application Data\bobopovix.com
2009-10-08 17:38 . 2009-10-08 17:38 13153 ----a-w- c:\documents and settings\Joe\Local Settings\Application Data\logeheqa.sys
2009-10-08 17:38 . 2009-10-08 17:38 11745 ----a-w- c:\program files\Common Files\gude.lib
2009-10-08 17:38 . 2009-10-08 17:38 11034 ----a-w- c:\documents and settings\All Users\Application Data\ituvuzeso.sys
2009-10-08 17:38 . 2009-10-08 17:38 11034 ----a-w- c:\documents and settings\All Users\Application Data\ituvuzeso.sys
2009-09-13 03:06 . 2009-09-13 03:06 152576 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-07-17 06:09 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 04:56 . 2009-08-17 04:56 1208891 --sha-w- c:\windows\system32\kudebeze.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kxuyuqim"="c:\documents and settings\Joe\Application Data\?dobe\n?tepad.exe" [?]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2009-11-18 78432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [2004-7-17 812544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"=diomidi.dll
"wave1"=Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Joe\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSI\\Core Center\\CoreCenter.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [5/9/2006 4:54 PM 16384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 55024]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [5/9/2006 4:54 PM 105472]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [11/17/2009 10:17 PM 102448]
R3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [5/9/2006 4:54 PM 15488]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [5/9/2006 4:54 PM 15232]
S3 EraserUtilDrv10920;EraserUtilDrv10920;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10920.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10920.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]
.
Contents of the 'Scheduled Tasks' folder

2009-11-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-03-19 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: principal.com\www
TCP: {A119825C-0782-4C8E-A037-BAADCDC4292D} = 77.74.48.113
TCP: {CF51FC7F-C0A7-4DEA-98AE-425C977D5921} = 77.74.48.113
DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} - hxxp://65.246.89.22/JWALKC10/JWalkXS/ais40.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{40c11fc6-2f57-4655-8ab7-87f75b93753a} - gegupota.dll
Toolbar-SITEguard - (no file)
HKLM-Run-guduvofeka - kufuyinu.dll
SharedTaskScheduler-{3a41e3cd-53b0-475f-996d-aef3c9d68aac} - c:\windows\system32\giwewona.dll
SSODL-lomamilem-{3a41e3cd-53b0-475f-996d-aef3c9d68aac} - c:\windows\system32\giwewona.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 15:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,48,40,3a,ec,84,52,48,84,01,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,48,40,3a,ec,84,52,48,84,01,d5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2404)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-19 15:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 20:16
ComboFix2.txt 2007-10-25 04:11

Pre-Run: 64,721,510,400 bytes free
Post-Run: 65,882,812,416 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 181D1430513CE00FF30E5C518013DECF

#6 GSBJoe

GSBJoe
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 23 November 2009 - 10:11 PM

BTW, forgot to mention that Symantec continues to report that it has quarantined multiple "Trojan Dropper"s, and just now it also reported "infostealer" & "downloader", file names aruxss.exe & excbx.exe respectively. Thanks for your response!

#7 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 November 2009 - 07:13 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/272799/infected-with-trojan-vundo/

Collect::
C:\vuou.exe
C:\aruxss.exe
C:\kewwr.exe
C:\excbx.exe
c:\windows\system32\drivers\kgpcpy.cfg
c:\documents and settings\Joe\Application Data\ucica.bin
c:\program files\Common Files\xipafo.pif
c:\program files\Common Files\nalekuf.pif
c:\documents and settings\Joe\Local Settings\Application Data\milu.dat
c:\documents and settings\All Users\Application Data\bobopovix.com
c:\documents and settings\All Users\Application Data\bobopovix.com
c:\documents and settings\Joe\Local Settings\Application Data\logeheqa.sys
c:\program files\Common Files\gude.lib
c:\documents and settings\All Users\Application Data\ituvuzeso.sys
c:\windows\system32\kudebeze.exe

Folder::
C:\VundoFix Backups

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kxuyuqim"=-

FixCSet::

DDS::
TCP: {A119825C-0782-4C8E-A037-BAADCDC4292D} = 77.74.48.113
TCP: {CF51FC7F-C0A7-4DEA-98AE-425C977D5921} = 77.74.48.113


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as aaah111.exe


Posted Image

Please make sure you are online, to get the latest updates, then refering to the picture above, drag CFScript into aaah111.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#8 GSBJoe

GSBJoe
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 25 November 2009 - 05:37 PM

Thanks for your patience. Before I post the combofix log, I have to report the following:
My computer automatically restarted overnight, and when I attempted to log on, I got the following two messages -

"Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator."

"Windows is logging you onto a temporary profile. All changes you make to this profile will be lost when you log off. (paraphrasing this one as it was gone before I could write it down)"

All of my files, favorites, and programs are still on the C drive, but I have to search for them. However, my desktop only has some programs available, and I cannot use my email (program will not start, claims to need a disc), nor can I use Internet Explorer (program starts, but I cannot connect, despite apparently having my normal wireless connection, as indicated on the bottom task bar). I had to use another computer to get your instructions and then I had to type in the CFScript manually on my computer. When I followed your instructions. combofix started up with no problems. Also,when the machine rebooted and the combofix log popped up, a EULA window popped up with the following message:


"SYSINTERNALS SOFTWARE LICENSE TERMS
These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from Systinternals.com, which includes the media on which you received it, if any. The terms also apply to any Sysinternals
updates,
supplements,
Internet-based services, and
support services
for this software, unless other terms accompany those items. If so, those terms apply.
etc..."

Since I have no idea what this is, I am not clicking on any of the options until I hear back from you. Combofix log copied below as requested. I have a question though... at the bottom of the log it says that one of the running processes is Symantec real time virus scan, which I had turned off at the beginning of the scan. I hope this is not a problem...

ComboFix 09-11-19.02 - Joe 11/25/2009 16:20.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2154 [GMT -5:00]
Running from: c:\documents and settings\Joe\Desktop\aaah111.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\documents and settings\All Users\Application Data\ituvuzeso.sys
file zipped: c:\documents and settings\Joe\Application Data\ucica.bin
file zipped: c:\documents and settings\Joe\Local Settings\Application Data\milu.dat
file zipped: c:\program files\Common Files\gude.lib
file zipped: c:\program files\Common Files\nalekuf.pif
file zipped: c:\program files\Common Files\xipafo.pif
file zipped: c:\windows\system32\drivers\kgpcpy.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ituvuzeso.sys
c:\documents and settings\Joe\Application Data\ucica.bin
c:\documents and settings\Joe\Local Settings\Application Data\milu.dat
c:\program files\Common Files\gude.lib
c:\program files\Common Files\nalekuf.pif
c:\program files\Common Files\xipafo.pif
C:\VundoFix Backups
c:\windows\system32\drivers\kgpcpy.cfg

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-25 21:32 . 2009-11-25 21:32 -------- d-----w- c:\documents and settings\TEMP
2009-11-25 20:04 . 2009-11-25 20:04 -------- d-sh--w- c:\documents and settings\Sue\IETldCache
2009-11-21 18:48 . 2009-11-21 18:48 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-19 20:06 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-19 20:06 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-19 19:53 . 2009-11-19 19:55 -------- d-----w- C:\aaah111
2009-11-19 19:38 . 2009-11-19 19:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 01:40 . 2009-11-19 01:40 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2009-11-19 01:40 . 2009-11-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-19 00:20 . 2009-11-19 00:20 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-18 03:36 . 2009-11-18 03:36 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-18 02:24 . 2009-11-18 02:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 02:24 . 2009-11-18 02:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 21:32 . 2007-03-19 23:33 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-25 08:18 . 2004-07-17 14:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-18 04:35 . 2005-02-08 07:54 -------- d-----w- c:\program files\QuickTime
2009-11-18 04:33 . 2009-01-12 01:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-18 03:47 . 2009-03-13 21:44 117760 ----a-w- c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-18 03:08 . 2007-03-10 19:34 -------- d-----w- c:\documents and settings\Joe\Application Data\ZoomBrowser EX
2009-11-18 02:58 . 2007-03-10 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-11-16 03:12 . 2007-01-16 02:41 -------- d-----w- c:\documents and settings\Joe\Application Data\uTorrent
2009-10-09 20:25 . 2009-10-09 20:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-09 19:48 . 2009-10-09 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-09 19:45 . 2009-10-09 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-09 04:44 . 2009-10-09 04:44 -------- d-----w- c:\program files\Common Files\iS3
2009-10-09 03:43 . 2004-11-22 19:29 -------- d-----w- c:\documents and settings\Joe\Application Data\AdobeUM
2009-10-08 17:38 . 2009-10-08 17:38 13890 ----a-w- c:\documents and settings\All Users\Application Data\bobopovix.com
2009-10-08 17:38 . 2009-10-08 17:38 13890 ----a-w- c:\documents and settings\All Users\Application Data\bobopovix.com
2009-10-08 17:38 . 2009-10-08 17:38 13153 ----a-w- c:\documents and settings\Joe\Local Settings\Application Data\logeheqa.sys
2009-09-13 03:06 . 2009-09-13 03:06 152576 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2009-08-17 04:56 . 2009-08-17 04:56 1208891 --sha-w- c:\windows\system32\kudebeze.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-19_20.11.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-25 21:31 . 2009-11-25 21:31 16384 c:\windows\TEMP\Perflib_Perfdata_144.dat
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
- 2007-03-19 23:34 . 2007-03-19 23:34 40960 c:\windows\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2007-03-19 23:34 . 2009-11-19 20:55 40960 c:\windows\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2007-03-19 23:34 . 2009-11-19 20:55 25214 c:\windows\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\ARPPRODUCTICON.exe
- 2007-03-19 23:34 . 2007-03-19 23:34 25214 c:\windows\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\ARPPRODUCTICON.exe
+ 2008-08-30 00:57 . 2009-07-31 15:05 1372672 c:\windows\system32\msxml6.dll
+ 2004-07-17 06:08 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-08-30 00:57 . 2009-07-31 15:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-11-15 02:17 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [2004-7-17 812544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"=diomidi.dll
"wave1"=Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Joe\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSI\\Core Center\\CoreCenter.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [5/9/2006 4:54 PM 16384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 55024]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [5/9/2006 4:54 PM 105472]
R3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [5/9/2006 4:54 PM 15488]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [5/9/2006 4:54 PM 15232]
R3 PCAlertDriver;PCAlertDriver;c:\program files\MSI\Core Center\NTGLM7X.SYS [7/17/2004 12:57 PM 22503]
S3 EraserUtilDrv10920;EraserUtilDrv10920;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10920.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10920.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCALERTDRIVER
*NewlyCreated* - RUSHTOPDEVICE
*Deregistered* - EraserUtilDrvI9
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-03-19 21:32]
.
.
------- Supplementary Scan -------
.
TCP: {A119825C-0782-4C8E-A037-BAADCDC4292D} = 77.74.48.113
DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} - hxxp://65.246.89.22/JWALKC10/JWalkXS/ais40.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 16:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,48,40,3a,ec,84,52,48,84,01,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,48,40,3a,ec,84,52,48,84,01,d5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-11-25 16:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 21:38
ComboFix2.txt 2009-11-19 20:16
ComboFix3.txt 2007-10-25 04:11

Pre-Run: 65,714,794,496 bytes free
Post-Run: 65,680,191,488 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 6758728CB2FC3D2652A740697E757FE0

#9 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 November 2009 - 03:25 AM

We need to use System Restore to restore your computer back to a previous state - hopefully fixing your profile corruption issues.

Open System Restore from the Start Menu -> Programs -> Accessories.
Select Restore my computer to an earlier time
Pick the most recent restore point closest to the current date, and restore to that.
After rebooting the computer once the restore has taken place, please advise me if you are still experiencing profile issues.

There is a more detailed guide to restoring from a system restore point here, if you need help.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#10 GSBJoe

GSBJoe
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 26 November 2009 - 12:57 PM

I followed instructions for System Restore. When I attempted to log in, I got the same messages about my profile that I posted last time. I also got this message:

Your computer cannot be restored to:

Tuesday, November 24, 2009
System Checkpoint

No changes have been made to your computer. To choose another restore point, restart System Restore.

Also, about an hour after I last ran combofix, my personal desktop background changed back to my photo instead of the windows default photo. However, that was the only change I noticed. The default photo is back up now, after the attempt at System Restore.

#11 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 November 2009 - 06:15 PM

See if there's a restore point about the 19th - I believe Combofix should have made one.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 27 November 2009 - 09:43 AM

Hi GSBJoe,
My colleague Raktor is going to be temporarily unavailable so I am going to continue assisting you. Go ahead and please follow his last step and we will proceed from there.
Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 GSBJoe

GSBJoe
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 27 November 2009 - 11:39 AM

OK, done. Nothing has changed and I got the same message. I don't have any other restore points either, prior to the 19th. Must have been turned off.

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 27 November 2009 - 06:44 PM

Alright. Thanks for the detailed feedback. :(

Please proceed as I have outlined below. If it is ineffective just stop and tell me about it. I have sequential steps for you to perform if necessary.

Please do this...........

Please save the following instructions into Notepad and print it out as this webpage would not be available when you're carrying out the process.

Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start.
Use the up and down arrow key to select Microsoft Windows Recovery Console.
You must enter which Windows installation to log onto. Type 1 or whatever number it takes to get you to C:\Windows. Then press enter.

At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.
At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.
Success?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 GSBJoe

GSBJoe
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 27 November 2009 - 08:29 PM

Before I carry out this step, I have to say that "Windows Recovery" sounds a little ominous. Should I try to move my family photos and documents onto an external HD before I do anything else? I have two externals hooked up but I shut them off when the virus hit...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users