Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection?


  • This topic is locked This topic is locked
15 replies to this topic

#1 too-much-rc

too-much-rc

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 December 2009 - 12:20 AM

Dear Bleeping Computer folks,

On 11/18, I downloaded a couple programs from the internet that I suspect may have infected my PC with some mal-ware. Programs that were downloaded were DVDFab, DVD Shrink, and MagicDisc.

A couple days later Avast found and allegedly removed several trojans, worms, and/or viruses. It has since been uninstalled, so I can't find the logs.

I then downloaded Microsoft Security Essentials to try to clean my system. I booted to Safe Mode and ran a full disk scan. The first time through, 11 instances of Vundo were found and allegedly removed. The next day another full scan was performed and nothing was found. On day three, 3 more instances of Vundo files were found (Vundo.B, Vundo.FA, and Vundo.gen!G). Also a copy of Aegrus was found. Since this point, 2 more full system scans have been run, but nothing was found. Unfortunately, I am getting random popup ad's, etc. These are definitely not caused by clicking on advertisments in web pages.

Can you please help?

Thank you very much,
too-much-rc




DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 21:48:24.73 on Wed 12/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.691 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Slacker\USB Station Refresher\slacker.portable.service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VWS\vws.exe
C:\Program Files\Slacker\USB Station Refresher\slacker.tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picture It! Premium 10\Pod.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=THM
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
uURLSearchHooks: Yahoo! uC: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - c:\program files\gamevance\gamevancelib32.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! uC: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Easy-WebPrint: {03c1c47f-0538-4645-8372-d3109b9fc636} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [vws]
mRun: [flockbox] c:\program files\my lockbox\flockbox.exe /a
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [veruvemeb] Rundll32.exe "c:\windows\system32\sesifigu.dll",a
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\virtua~1.lnk - c:\program files\vws\vws.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: taxactonline.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} - hxxp://photos.msn.com/resources/neutral/controls/MsnPPick.cab?10,0,910,0
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238553860875
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/mail/ymmapi.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D44C75D8-C827-473E-8F68-A77E42500782} - hxxp://ms.digitalcameradeveloping.com/mupload/WebUploadClient.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: {3E24581C-507A-4C38-99B5-DB022A49A00A} = 199.184.119.1,199.2.252.10
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: pepuvago.dll mururere.dll c:\windows\system32\sesifigu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: bagubinoz - {e2671bd8-de30-4064-afc3-b4109b25f8ea} - c:\windows\system32\sesifigu.dll
STS: {042736f9-736c-4c81-b552-dcf2b4291edb} - No File
STS: tokatiluy: {e2671bd8-de30-4064-afc3-b4109b25f8ea} - c:\windows\system32\sesifigu.dll
LSA: Notification Packages = scecli hujotoge.dll naduhege.dll

============= SERVICES / DRIVERS ===============

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2008-7-17 17264]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2007-3-4 5152]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 Slacker Portable Service;Slacker Portable Service;c:\program files\slacker\usb station refresher\slacker.portable.service.exe [2008-10-31 234176]
S2 mrtRate;mrtRate; [x]
S3 SLACKERDRV;Slacker Portable USB Driver;c:\windows\system32\drivers\SlackerUSB.sys [2008-10-31 20480]

=============== Created Last 30 ================

2009-12-05 04:40:28 30784 ----a-w- c:\windows\system32\drivers\dkucztyt.sys
2009-12-05 04:26:51 30784 ----a-w- c:\windows\system32\drivers\myojtjgy.sys
2009-12-05 04:13:23 30784 ----a-w- c:\windows\system32\drivers\jjxcmgny.sys
2009-12-05 04:03:09 30784 ----a-w- c:\windows\system32\drivers\rcabuwax.sys
2009-12-05 03:49:32 30784 ----a-w- c:\windows\system32\drivers\owxnmkvj.sys
2009-12-05 03:41:12 30784 ----a-w- c:\windows\system32\drivers\ddhezhca.sys
2009-12-04 06:37:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 06:27:48 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-04 05:41:40 0 d-----w- c:\docume~1\alluse~1\applic~1\CA
2009-12-02 05:42:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-22 21:59:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Linksys
2009-11-22 21:58:55 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-11-22 21:58:44 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-11-22 21:58:36 0 d-----w- c:\program files\common files\Pure Networks Shared
2009-11-22 21:58:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2009-11-22 21:56:56 0 d-----w- c:\program files\Linksys
2009-11-19 03:17:19 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-11-19 03:17:18 0 d-----w- c:\program files\MagicDisc
2009-11-19 00:51:34 0 d-----w- c:\program files\DVD Shrink
2009-11-19 00:49:43 87608 ----a-w- c:\docume~1\david\applic~1\inst.exe
2009-11-19 00:49:43 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-19 00:49:43 47360 ----a-w- c:\docume~1\david\applic~1\pcouffin.sys
2009-11-19 00:49:28 0 d-----w- c:\program files\DVDFab 6

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:33:52 133632 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-09 18:01:17 38400 --sha-w- c:\windows\system32\befuguye.dll
2009-09-09 17:01:05 51712 --sha-w- c:\windows\system32\gorikava.dll
2009-09-09 04:00:24 92672 --sha-w- c:\windows\system32\jowuvize.dll
2009-09-09 17:01:05 51712 --sha-w- c:\windows\system32\mururere.dll
2009-09-09 17:01:05 51712 --sha-w- c:\windows\system32\naduhege.dll
2009-09-09 05:00:33 38400 --sha-w- c:\windows\system32\pawadeze.dll
2009-09-09 17:00:59 51712 --sha-w- c:\windows\system32\ratobelu.dll
2009-09-09 18:01:17 91648 --sha-w- c:\windows\system32\sesifigu.dll
2009-09-09 17:00:59 61440 --sha-w- c:\windows\system32\tehenupo.dll
2009-09-09 04:00:24 38912 --sha-w- c:\windows\system32\teyodalu.dll
2009-09-09 04:00:24 52736 --sha-w- c:\windows\system32\witafika.dll
2009-09-09 17:00:59 92672 --sha-w- c:\windows\system32\wofarola.dll
2009-09-09 17:00:59 38912 --sha-w- c:\windows\system32\yavawabo.dll
2009-09-09 05:00:33 52736 --sha-w- c:\windows\system32\yegisafe.dll
2009-09-09 05:00:33 92160 --sha-w- c:\windows\system32\yupajedu.dll
2009-09-09 04:00:24 61952 --sha-w- c:\windows\system32\zopirozu.dll
2009-05-22 22:08:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052220090523\index.dat

============= FINISH: 21:48:48.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 10 December 2009 - 05:48 AM

Hi, welcome to the BC Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:
  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.
Download Combofix from any of the links below.

Link 1
Link 2


==================================

Disable all antivirus and antispyware applications, then double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 too-much-rc

too-much-rc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 December 2009 - 09:49 AM

Raktor,

Thank you for your assistance.

Attached is the Combofix report:

-- too-much-rc



ComboFix 09-12-09.04 - David 12/10/2009 8:17.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.773 [GMT -6:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\David\Application Data\inst.exe
c:\documents and settings\David\My Documents\ZbThumbnail.info
c:\windows\system32\befuguye.dll
c:\windows\system32\feheyabo.dll.tmp
c:\windows\system32\gorikava.dll
c:\windows\system32\jowuvize.dll
c:\windows\system32\jujivane.dll
c:\windows\system32\luhizadu.dll.tmp
c:\windows\system32\mururere.dll
c:\windows\system32\naduhege.dll
c:\windows\system32\nemirapu.dll.tmp
c:\windows\system32\pawadeze.dll
c:\windows\system32\peyusuze.dll
c:\windows\system32\ratobelu.dll
c:\windows\system32\rubapate.dll.tmp
c:\windows\system32\sesifigu.dll
c:\windows\system32\tehenupo.dll
c:\windows\system32\teyodalu.dll
c:\windows\system32\witafika.dll
c:\windows\system32\yaniyeve.dll.tmp
c:\windows\system32\yavawabo.dll
c:\windows\system32\yegisafe.dll
c:\windows\system32\yupajedu.dll
c:\windows\system32\zopirozu.dll
c:\windows\system32\zorinafo.dll.tmp
c:\windows\Tasks\leoerzlc.job
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-10 08:29 . 2009-12-10 08:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-12-05 04:40 . 2009-12-05 04:40 30784 ----a-w- c:\windows\system32\drivers\dkucztyt.sys
2009-12-05 04:26 . 2009-12-05 04:26 30784 ----a-w- c:\windows\system32\drivers\myojtjgy.sys
2009-12-05 04:13 . 2009-12-05 04:13 30784 ----a-w- c:\windows\system32\drivers\jjxcmgny.sys
2009-12-05 04:03 . 2009-12-05 04:03 30784 ----a-w- c:\windows\system32\drivers\rcabuwax.sys
2009-12-05 03:49 . 2009-12-05 03:49 30784 ----a-w- c:\windows\system32\drivers\owxnmkvj.sys
2009-12-05 03:41 . 2009-12-05 03:41 30784 ----a-w- c:\windows\system32\drivers\ddhezhca.sys
2009-12-04 06:37 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 06:27 . 2009-12-05 03:20 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-04 05:41 . 2009-12-04 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-12-02 05:42 . 2009-12-10 13:59 4876 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-02 03:43 . 2009-12-04 05:33 209208 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-22 22:03 . 2009-11-22 22:03 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Linksys_LLC_-_A_Division_
2009-11-22 21:59 . 2009-11-22 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Linksys
2009-11-22 21:58 . 2008-04-09 06:14 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-11-22 21:58 . 2009-11-22 21:58 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-22 21:58 . 2008-04-09 06:14 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-11-22 21:58 . 2009-11-22 21:58 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-11-22 21:58 . 2009-11-22 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-11-22 21:56 . 2009-11-22 21:57 -------- d-----w- c:\program files\Linksys
2009-11-19 03:17 . 2009-02-25 00:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-11-19 03:17 . 2009-11-19 03:17 -------- d-----w- c:\program files\MagicDisc
2009-11-19 00:51 . 2009-11-19 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-11-19 00:51 . 2009-11-19 00:51 -------- d-----w- c:\program files\DVD Shrink
2009-11-19 00:49 . 2009-11-19 00:49 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-19 00:49 . 2009-11-19 00:50 -------- d-----w- c:\documents and settings\David\Application Data\Vso
2009-11-19 00:49 . 2009-11-19 00:49 -------- d-----w- c:\program files\DVDFab 6
2009-11-11 03:35 . 2009-11-11 03:35 -------- d-----w- c:\documents and settings\Becky\Application Data\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 03:19 . 2006-09-16 19:26 104616 ----a-w- c:\documents and settings\Becky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 21:10 . 2008-05-18 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-06 21:10 . 2005-04-22 02:12 -------- d-----w- c:\documents and settings\David\Application Data\Yahoo!
2009-12-06 21:04 . 2009-08-07 04:37 -------- d-----w- c:\program files\Ace Utilities
2009-12-04 05:49 . 2008-10-09 15:40 -------- d-----w- c:\program files\Coupons
2009-11-22 22:41 . 2005-04-14 00:28 104616 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-22 21:57 . 2005-04-08 11:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-19 00:49 . 2009-11-19 00:49 47360 ----a-w- c:\documents and settings\David\Application Data\pcouffin.sys
2009-11-19 00:49 . 2009-11-19 00:49 47360 ----a-w- c:\documents and settings\David\Application Data\pcouffin.sys
2009-11-14 04:29 . 2009-08-07 04:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-09 17:00 . 2009-09-09 17:00 92672 --sha-w- c:\windows\SYSTEM32\wofarola.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe -hide" [X]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\David\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Virtual Weather Station.lnk - c:\program files\VWS\vws.exe [2006-12-28 1786368]

c:\documents and settings\Becky\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1998-6-6 325632]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-12-3 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"igfxpers"=c:\windows\system32\igfxpers.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Slacker\\USB Station Refresher\\slacker.tray.exe"=
"c:\\Program Files\\Slacker\\USB Station Refresher\\slacker.jukebox.exe"=
"c:\\Program Files\\Slacker\\USB Station Refresher\\slacker.jukebox.launch.exe"=
"c:\\Program Files\\VWS\\vws.exe"=
"c:\\Program Files\\My Lockbox\\flockbox.exe"=

R0 MPRIFL;MPRIFL;c:\windows\SYSTEM32\DRIVERS\mprifl.sys [7/17/2008 10:29 PM 17264]
R2 io.sys;IO.DLL Driver;c:\windows\SYSTEM32\DRIVERS\io.sys [3/4/2007 5:04 PM 5152]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 3:30 AM 204800]
R2 Slacker Portable Service;Slacker Portable Service;c:\program files\Slacker\USB Station Refresher\slacker.portable.service.exe [10/31/2008 3:03 PM 234176]
S2 mrtRate;mrtRate; [x]
S3 SLACKERDRV;Slacker Portable USB Driver;c:\windows\SYSTEM32\DRIVERS\SlackerUSB.sys [10/31/2008 2:12 PM 20480]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=THM
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: taxactonline.com\www
TCP: {3E24581C-507A-4C38-99B5-DB022A49A00A} = 199.184.119.1,199.2.252.10
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{e936dd60-9827-4a88-a3d4-9fae0bb3871d} - gorikava.dll
HKLM-Run-vws - (no file)
HKLM-Run-veruvemeb - c:\windows\system32\jujivane.dll
HKLM-Run-bonoregete - naduhege.dll
SharedTaskScheduler-{042736f9-736c-4c81-b552-dcf2b4291edb} - (no file)
SharedTaskScheduler-{8ad1cb93-92e5-4a1f-a855-71add5999388} - c:\windows\system32\jujivane.dll
SSODL-kenuvugok-{8ad1cb93-92e5-4a1f-a855-71add5999388} - c:\windows\system32\jujivane.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 08:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3998951219-955322500-3148731311-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft Security Essentials\msseces.exe
.
**************************************************************************
.
Completion time: 2009-12-10 08:40:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-10 14:40

Pre-Run: 9,283,080,192 bytes free
Post-Run: 9,588,301,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2E56AD70B0AAD9E02A805B4888F2DEEA

#4 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 11 December 2009 - 12:16 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/277714/vundo-infection/

Collect::
c:\windows\system32\drivers\dkucztyt.sys
2009-12-05 04:26 . 2009-12-05 04:26 30784 ----a-w- c:\windows\system32\drivers\myojtjgy.sys
2009-12-05 04:13 . 2009-12-05 04:13 30784 ----a-w- c:\windows\system32\drivers\jjxcmgny.sys
2009-12-05 04:03 . 2009-12-05 04:03 30784 ----a-w- c:\windows\system32\drivers\rcabuwax.sys
2009-12-05 03:49 . 2009-12-05 03:49 30784 ----a-w- c:\windows\system32\drivers\owxnmkvj.sys
2009-12-05 03:41 . 2009-12-05 03:41 30784 ----a-w- c:\windows\system32\drivers\ddhezhca.sys
c:\windows\SYSTEM32\wofarola.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#5 too-much-rc

too-much-rc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 11 December 2009 - 08:39 AM

Combofix.txt pasted in below:


ComboFix 09-12-09.04 - David 12/11/2009 7:19.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.974 [GMT -6:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

file zipped: c:\windows\system32\drivers\dkucztyt.sys
file zipped: c:\windows\SYSTEM32\wofarola.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\dkucztyt.sys
c:\windows\SYSTEM32\wofarola.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-10 14:38 . 2009-12-10 14:38 -------- d-----w- c:\windows\LastGood
2009-12-10 08:29 . 2009-12-10 08:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-12-05 04:26 . 2009-12-05 04:26 30784 ----a-w- c:\windows\system32\drivers\myojtjgy.sys
2009-12-05 04:13 . 2009-12-05 04:13 30784 ----a-w- c:\windows\system32\drivers\jjxcmgny.sys
2009-12-05 04:03 . 2009-12-05 04:03 30784 ----a-w- c:\windows\system32\drivers\rcabuwax.sys
2009-12-05 03:49 . 2009-12-05 03:49 30784 ----a-w- c:\windows\system32\drivers\owxnmkvj.sys
2009-12-05 03:41 . 2009-12-05 03:41 30784 ----a-w- c:\windows\system32\drivers\ddhezhca.sys
2009-12-04 06:37 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 06:27 . 2009-12-05 03:20 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-04 05:41 . 2009-12-04 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-12-02 05:42 . 2009-12-11 13:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-02 03:43 . 2009-12-04 05:33 209208 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-22 22:03 . 2009-11-22 22:03 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Linksys_LLC_-_A_Division_
2009-11-22 21:59 . 2009-11-22 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Linksys
2009-11-22 21:58 . 2008-04-09 06:14 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-11-22 21:58 . 2009-11-22 21:58 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-22 21:58 . 2008-04-09 06:14 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-11-22 21:58 . 2009-11-22 21:58 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-11-22 21:58 . 2009-11-22 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-11-22 21:56 . 2009-11-22 21:57 -------- d-----w- c:\program files\Linksys
2009-11-19 03:17 . 2009-02-25 00:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-11-19 03:17 . 2009-11-19 03:17 -------- d-----w- c:\program files\MagicDisc
2009-11-19 00:51 . 2009-11-19 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-11-19 00:51 . 2009-11-19 00:51 -------- d-----w- c:\program files\DVD Shrink
2009-11-19 00:49 . 2009-11-19 00:49 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-19 00:49 . 2009-11-19 00:49 47360 ----a-w- c:\documents and settings\David\Application Data\pcouffin.sys
2009-11-19 00:49 . 2009-11-19 00:50 -------- d-----w- c:\documents and settings\David\Application Data\Vso
2009-11-19 00:49 . 2009-11-19 00:49 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 03:19 . 2006-09-16 19:26 104616 ----a-w- c:\documents and settings\Becky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 21:10 . 2008-05-18 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-06 21:10 . 2005-04-22 02:12 -------- d-----w- c:\documents and settings\David\Application Data\Yahoo!
2009-12-06 21:04 . 2009-08-07 04:37 -------- d-----w- c:\program files\Ace Utilities
2009-12-04 05:49 . 2008-10-09 15:40 -------- d-----w- c:\program files\Coupons
2009-11-22 22:41 . 2005-04-14 00:28 104616 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-22 21:57 . 2005-04-08 11:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-14 04:29 . 2009-08-07 04:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-11 03:35 . 2009-11-11 03:35 -------- d-----w- c:\documents and settings\Becky\Application Data\Sony
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe -hide" [X]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\David\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Virtual Weather Station.lnk - c:\program files\VWS\vws.exe [2006-12-28 1786368]

c:\documents and settings\Becky\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1998-6-6 325632]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-12-3 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"igfxpers"=c:\windows\system32\igfxpers.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Slacker\\USB Station Refresher\\slacker.tray.exe"=
"c:\\Program Files\\Slacker\\USB Station Refresher\\slacker.jukebox.exe"=
"c:\\Program Files\\Slacker\\USB Station Refresher\\slacker.jukebox.launch.exe"=
"c:\\Program Files\\VWS\\vws.exe"=
"c:\\Program Files\\My Lockbox\\flockbox.exe"=

R0 MPRIFL;MPRIFL;c:\windows\SYSTEM32\DRIVERS\mprifl.sys [7/17/2008 10:29 PM 17264]
R2 io.sys;IO.DLL Driver;c:\windows\SYSTEM32\DRIVERS\io.sys [3/4/2007 5:04 PM 5152]
R2 Slacker Portable Service;Slacker Portable Service;c:\program files\Slacker\USB Station Refresher\slacker.portable.service.exe [10/31/2008 3:03 PM 234176]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 3:30 AM 204800]
S2 mrtRate;mrtRate; [x]
S3 SLACKERDRV;Slacker Portable USB Driver;c:\windows\SYSTEM32\DRIVERS\SlackerUSB.sys [10/31/2008 2:12 PM 20480]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=THM
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: taxactonline.com\www
TCP: {3E24581C-507A-4C38-99B5-DB022A49A00A} = 199.184.119.1,199.2.252.10
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 07:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3998951219-955322500-3148731311-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-12-11 07:28:40
ComboFix-quarantined-files.txt 2009-12-11 13:28
ComboFix2.txt 2009-12-10 14:40

Pre-Run: 9,615,601,664 bytes free
Post-Run: 9,620,611,072 bytes free

- - End Of File - - F43EF8B90F82EFC4C5702BDEF7E4057F
Upload was successful

#6 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 11 December 2009 - 08:28 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/277714/vundo-infection/

Collect::
c:\windows\system32\drivers\myojtjgy.sys
c:\windows\system32\drivers\jjxcmgny.sys
c:\windows\system32\drivers\rcabuwax.sys
c:\windows\system32\drivers\owxnmkvj.sys
c:\windows\system32\drivers\ddhezhca.sys


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#7 too-much-rc

too-much-rc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 12 December 2009 - 12:03 AM

Raktor,

I've attached the most recent version of ComboFix.txt. I hope that's ok, rather than pasting. Maybe the file was too big to paste?

Thanks,
too-much-rc

Attached Files



#8 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 12 December 2009 - 03:14 AM

1) MBAM
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
2) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
3) What You Will Need To Post:
  • MBAM log
  • ESET log

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#9 too-much-rc

too-much-rc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 12 December 2009 - 06:17 PM

Raktor,

Attached are the MBAM and ESET logs.

Thanks,
too-much-rc

Attached Files



#10 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 14 December 2009 - 06:19 AM

Good job, looking all clean. :(

The following will implement some cleanup procedures as well as reset System Restore points:
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
You may remove all programs and resulting logs from our cleanup, except MBAM. Keep that and scan/update weekly.

How to reduce your chances of infection in the future

Web Browsers
Internet Explorer does come pre-installed with all Windows machines - but this doesn't necessarily mean you have to use it! Because it is the most widely used browser, it is targeted by more malware writers, making you more susceptible to infection. There are many other free alternatives out there that offer better security, take one of these for a spin and see if it takes your fancy.
Mozilla Firefox
Google Chrome
Opera

WOT - Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for Firefox, Google Chrome and Internet Explorer.

If you would prefer to keep using Internet Explorer, follow these additional steps to make the browser more secure.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Additional Security Measures
Keep your software up-to-date - You should be manually performing updates of your software once a week to ensure that you are current with anti-virus definitions and patched for any security vulnerabilities. This does not just apply to your anti-virus/anti-malware software; malware authors rely on exploiting commonly used software such as Java and Adobe Reader, which need to be kept up to date as well.

Keep Windows up-to-date - Use Windows Update regularly to stay current with security patches and service packs.

MVPS Hosts File - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Firewalls - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient - but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.

What Not To Do
The Perils of P2P File Sharing - Even if a P2P application is on the 'safe' list, malware can still be downloaded through infected files - executables, zip files and even MP3s. It is just not worth the risk.

Fake Security/Optimization Software - Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Additional Reading
How to prevent Malware - I strongly recommend that you read Miekiemoses' good advice

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#11 too-much-rc

too-much-rc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 December 2009 - 08:35 AM

Raktor,

In the last run of ESET, it found infected entries in the registry, buy we didn't have it remove them. Don't those still need dealt with?

I'd also like to know if the original programs that I installed that likely infected my machine are safe to run? (DVDFab and MagicDisc) Are the viruses attached to the download, or do they start when running the program?

Thanks very much again for your help.

too-much-rc

#12 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 15 December 2009 - 06:32 AM

We removed those infections by running the Combofix uninstall.

Regarding your downloaded software, check the executables with a virus scanner, or a site like VirusTotal.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#13 too-much-rc

too-much-rc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 December 2009 - 11:39 PM

Raktor,

I ran the online ESET one more time, after uninstalling Combofix. It found and reportedly cleaned 13 more files. I attached the log file if you're interested.

I ran Malwarebytes again (with updated virus definition) - nothing found.

I updated Microsoft Security Essentials and ran a quick scan with it - nothing found.

I also uploaded many of the exe's and dll's from the suspect programs to www.virustotal.com . Nothing especially suspect. A couple of the files had 1 or 2 virus scanners that showed "suspect", but the other 39 or so found nothing suspicious.

One last thing I noticed is a program that shows up on the "Alt-tab" list as 'Alert Popup'. Although if I bring up Task Manager, no such program is listed under applications. If I try to stop on it to bring it up as active, nothing happens. Is this related to anything that we've done or installed?

Thanks again for your help,
too-much-rc

Attached Files



#14 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 17 December 2009 - 05:55 PM

Nothing that you mentioned is anything to worry about. :(
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#15 too-much-rc

too-much-rc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 18 December 2009 - 08:48 AM

Raktor,

Thanks for your help. All appears to be OK. :(

I sent you a small gift via Paypal to say 'thanks' and Merry Christmas.

Thanks again,
too-much-rc




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users