Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 brneyegirl01

brneyegirl01

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 12 March 2010 - 02:15 PM

I have tried Malwarebytes, Vundofix and the Microsoft Malicious software tool, none of these were able to remove the Vundo Trojan. The Vundofix detected the Vundo Trojan, but was not successful in removing it. I ran the Combofix application after reading info on another site. However I did not act on anything and the virus appears to be gone, as I do not have any more of the annoying popups. I just wanted to be sure.

After reviewing the information on your site it appears as though maybe I should not have run Combofix on my own. Hope I did the right thing. I am posting my DDS log and attaching my GMER log for your review as per your instructions. Thanks in advance for your advice and for sharing this wonderful resource for those of us less familiar with these bugs!

Theresa


DDS (Ver_09-12-01.01) - NTFSx86
Run by Theresa at 10:25:57.68 on Fri 03/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2103 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Theresa\My Documents\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm025YYUS&fl=0&ptb=.JR_FG9OB5l._1KX2Dg4ag&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; eMusic DLM/4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.workshoplive.com/lesson_interface/play_lesson/play_sample_lesson.cfm?ci_id=2144"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219027624654
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219027613560
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-25 54752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-21 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-9-12 16512]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-03-12 16:03:48 98816 ----a-w- c:\windows\sed.exe
2010-03-12 16:03:48 77312 ----a-w- c:\windows\MBR.exe
2010-03-12 16:03:48 261632 ----a-w- c:\windows\PEV.exe
2010-03-12 16:03:48 161792 ----a-w- c:\windows\SWREG.exe
2010-03-11 19:18:07 0 d-----w- c:\program files\Trend Micro
2010-03-11 18:53:11 0 dc----w- C:\VundoFix Backups
2010-03-11 18:32:59 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-03-11 18:32:59 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-03-11 15:59:38 0 d-----w- c:\docume~1\theresa\applic~1\Malwarebytes
2010-03-11 15:59:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 15:59:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-11 15:59:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 15:59:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 03:54:36 0 d-----w- c:\documents and settings\theresa\.SunDownloadManager
2010-02-15 22:11:13 70648 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 20:56:26 0 d-----w- c:\program files\iPod
2010-02-12 20:56:17 0 d-----w- c:\program files\iTunes
2010-02-12 20:56:17 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2010-03-11 03:36:34 110560 ----a-w- c:\docume~1\theresa\applic~1\GDIPFONTCACHEV1.DAT
2010-01-28 20:08:55 72572 ----a-w- c:\windows\fonts\CONSUME_.TTF
2010-01-23 17:59:49 51880 ----a-w- c:\windows\fonts\CharmingSymbols.ttf
2010-01-22 21:52:37 32688 ----a-w- c:\windows\fonts\FLORALS2.TTF
2010-01-22 21:26:25 79004 ----a-w- c:\windows\fonts\BARNYRD1.TTF
2010-01-22 21:10:02 46260 ----a-w- c:\windows\fonts\ATMAB___.TTF
2010-01-22 21:10:02 45476 ----a-w- c:\windows\fonts\ATMARG__.TTF
2010-01-22 20:51:28 16692 ----a-w- c:\windows\fonts\Aosval.ttf
2010-01-22 20:14:37 33816 ----a-w- c:\windows\fonts\AnimaliaScissored.ttf
2010-01-22 18:33:40 242148 ----a-w- c:\windows\fonts\SKULLTS2.TTF
2010-01-22 18:33:30 158636 ----a-w- c:\windows\fonts\SEEIS___.TTF
2010-01-05 20:06:11 61240 ------w- c:\windows\fonts\WHUTEVUR.ttf
2010-01-05 20:06:00 16716 ------w- c:\windows\fonts\MISFIT.TTF
2010-01-05 20:05:49 72828 ------w- c:\windows\fonts\mickeymousebats.ttf
2010-01-05 20:05:39 64836 ------w- c:\windows\fonts\Little Trouble Girl BV.ttf
2010-01-05 20:05:30 26556 ------w- c:\windows\fonts\LemonChicken.ttf
2010-01-05 20:05:21 135996 ------w- c:\windows\fonts\LauriesCountry.ttf
2010-01-05 20:05:03 34488 ------w- c:\windows\fonts\CoolDots.ttf
2010-01-05 20:04:41 81288 ------w- c:\windows\fonts\Black Rose.ttf
2010-01-05 20:04:25 56588 ------w- c:\windows\fonts\AnkeCall.ttf
2010-01-05 20:04:09 25596 ------w- c:\windows\fonts\AMAZON__.TTF
2009-12-31 18:33:37 35784 ------w- c:\windows\fonts\Virgin.ttf
2009-12-31 18:32:59 21984 ------w- c:\windows\fonts\TS Curly.ttf
2009-12-31 18:32:35 66880 ------w- c:\windows\fonts\Tangerine.ttf
2009-12-31 18:32:08 21300 ------w- c:\windows\fonts\Synchronous.TTF
2009-12-31 18:31:57 15192 ------w- c:\windows\fonts\submerged.ttf
2009-12-31 18:31:46 158512 ------w- c:\windows\fonts\spahrtyg.ttf
2009-12-31 18:31:32 87112 ------w- c:\windows\fonts\Snowcaps.ttf
2009-12-31 18:30:41 58916 ------w- c:\windows\fonts\rhubarbp.TTF
2009-12-31 18:30:11 29868 ------w- c:\windows\fonts\punchl~1.TTF
2009-12-31 18:30:05 26052 ------w- c:\windows\fonts\PROTECTI.TTF
2009-12-31 18:29:28 171208 ------w- c:\windows\fonts\nightsky.TTF
2009-12-31 18:29:04 75472 ------w- c:\windows\fonts\MoxyRoxie.ttf
2009-12-31 18:28:36 35044 ------w- c:\windows\fonts\MADFONT.TTF
2009-12-31 16:10:05 35644 ------w- c:\windows\fonts\lovel___.TTF
2009-12-31 16:09:58 77800 ------w- c:\windows\fonts\LOUNB___.TTF
2009-12-31 16:09:21 22796 ------w- c:\windows\fonts\Kingthings Willowless.ttf
2009-12-31 16:09:16 32116 ------w- c:\windows\fonts\Kingthings Willow.ttf
2009-12-31 16:06:46 133784 ------w- c:\windows\fonts\freak.ttf
2009-12-31 15:46:24 132348 ------w- c:\windows\fonts\Krystal.ttf
2009-12-31 15:46:18 33836 ------w- c:\windows\fonts\KRAVET__.TTF
2009-12-31 15:46:09 39788 ------w- c:\windows\fonts\KLINOM__.TTF
2009-12-31 15:46:01 67988 ------w- c:\windows\fonts\kissmeki.TTF
2009-12-31 15:45:05 27036 ------w- c:\windows\fonts\Horsal__.ttf
2009-12-31 15:44:49 46164 ------w- c:\windows\fonts\happydays.ttf
2009-12-31 15:44:33 103476 ------w- c:\windows\fonts\Griffin.ttf
2009-12-31 15:43:46 36316 ------w- c:\windows\fonts\GILLIGAN.TTF
2009-12-31 15:43:19 79844 ------w- c:\windows\fonts\FROSTY__.TTF
2009-12-31 15:42:45 35012 ------w- c:\windows\fonts\fatty bombatty.TTF
2009-12-31 15:42:20 22952 ------w- c:\windows\fonts\ESMOUNT.TTF
2009-12-31 15:42:06 24884 ------w- c:\windows\fonts\EARWIGFA.TTF
2009-12-31 15:41:54 43308 ------w- c:\windows\fonts\DYSPEPSI.TTF
2009-12-31 15:41:30 37792 ------w- c:\windows\fonts\DAVIS.TTF
2009-12-31 15:40:52 39092 ------w- c:\windows\fonts\CUPCAKE_.TTF
2009-12-31 15:40:32 29180 ------w- c:\windows\fonts\COMEN___.TTF
2009-12-31 15:40:28 227840 ------w- c:\windows\fonts\codex.ttf
2009-12-31 15:40:16 33804 ------w- c:\windows\fonts\CHRIOC__.TTF
2009-12-31 15:39:54 25080 ------w- c:\windows\fonts\Caribbean.ttf
2009-12-31 15:39:41 104972 ------w- c:\windows\fonts\Candice.ttf
2009-12-31 15:39:18 22152 ------w- c:\windows\fonts\bubble (22K).ttf
2009-12-31 15:39:06 296664 ------w- c:\windows\fonts\BLOKTYPE.TTF
2009-12-31 15:38:42 190764 ------w- c:\windows\fonts\bleepin.ttf
2009-12-31 15:38:09 48748 ------w- c:\windows\fonts\ARROBATH.TTF
2009-12-31 15:37:39 58804 ------w- c:\windows\fonts\angelica.TTF
2009-12-31 15:37:30 71220 ------w- c:\windows\fonts\AmalieScriptSSK.ttf
2009-12-31 15:37:15 66232 ------w- c:\windows\fonts\airboy__.ttf
2009-12-31 15:36:47 21252 ------w- c:\windows\fonts\BILLO___.TTF
2009-12-28 15:13:18 58468 ------w- c:\windows\fonts\Yahoo.ttf
2009-12-28 15:13:10 69532 ------w- c:\windows\fonts\xmaslght.ttf
2009-12-28 15:13:00 27752 ------w- c:\windows\fonts\Whack.ttf
2009-12-28 15:12:49 54580 ------w- c:\windows\fonts\WetPaint.ttf
2009-12-28 15:12:40 100272 ------w- c:\windows\fonts\Weird.ttf
2009-12-28 15:12:16 154940 ------w- c:\windows\fonts\tussleo.ttf
2009-12-28 15:12:16 147948 ------w- c:\windows\fonts\tussleeo.ttf
2009-12-28 15:12:04 26336 ------w- c:\windows\fonts\TURNB___.TTF
2009-12-28 15:12:04 25852 ------w- c:\windows\fonts\TURNBB__.TTF
2009-12-28 15:11:54 114032 ------w- c:\windows\fonts\ToonyNoodleNF.ttf
2009-12-28 15:11:42 59072 ------w- c:\windows\fonts\SYBIG___.ttf
2009-12-28 15:11:33 41120 ------w- c:\windows\fonts\SWENSON.TTF
2009-12-28 15:11:09 66340 ------w- c:\windows\fonts\Snidely.ttf
2009-12-28 15:10:58 45004 ------w- c:\windows\fonts\Snail n Ink.ttf
2009-12-28 15:10:48 67912 ------w- c:\windows\fonts\SmorgasbordNF.ttf
2009-12-28 15:10:26 12864 ------w- c:\windows\fonts\SF Sports Night.ttf
2009-12-28 15:10:26 12856 ------w- c:\windows\fonts\SF Sports Night Alternate.ttf
2009-12-28 15:10:26 12740 ------w- c:\windows\fonts\SF Sports Night Upright.ttf
2009-12-28 15:10:26 12544 ------w- c:\windows\fonts\SF Sports Night AltUpright.ttf
2009-12-28 15:10:26 12428 ------w- c:\windows\fonts\SF Sports Night NS Alternate.ttf
2009-12-28 15:10:26 12080 ------w- c:\windows\fonts\SF Sports Night NS AltUpright.ttf
2009-12-28 15:10:26 12004 ------w- c:\windows\fonts\SF Sports Night NS.ttf
2009-12-28 15:10:26 11740 ------w- c:\windows\fonts\SF Sports Night NS Upright.ttf
2009-12-28 15:09:35 40460 ------w- c:\windows\fonts\RADAERN.TTF
2009-12-28 15:09:26 75736 ------w- c:\windows\fonts\QUIGLEYW.TTF
2009-12-28 15:09:17 50348 ------w- c:\windows\fonts\Polo Brush.ttf
2009-12-28 15:09:05 94096 ------w- c:\windows\fonts\planetbe.ttf
2009-12-28 15:08:53 61563 ------w- c:\windows\fonts\PENHURSS.TTF
2009-12-28 15:08:53 35651 ------w- c:\windows\fonts\PENSHURS.TTF
2009-12-28 15:08:53 33663 ------w- c:\windows\fonts\PENHURSB.TTF
2009-12-28 15:08:15 68540 ------w- c:\windows\fonts\PEACE___.TTF
2009-12-28 15:08:05 45268 ------w- c:\windows\fonts\PADTHAI_.TTF
2009-12-28 15:07:56 33396 ------w- c:\windows\fonts\Nauvoo.ttf

============= FINISH: 10:26:25.84 ===============

Attached Files

  • Attached File  ark.log   371bytes   10 downloads


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:26 PM

Posted 12 March 2010 - 04:20 PM

Good evening. smile.gif

You should find a copy of the log that ComboFix produced at the root of your primary hard drive - C:\ComboFix.txt. Please post the contents of it in your next reply.

So long, and thanks for all the fish.

 

 


#3 brneyegirl01

brneyegirl01
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 12 March 2010 - 04:23 PM

Here is the combofix txt file. Sorry I thought that was all included in the info I copied over int he above message. Thanks for your quick response! Theresa

ComboFix 10-03-11.06 - Theresa 03/12/2010 9:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2128 [GMT -7:00]
Running from: D:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Theresa\Local Settings\Application Data\av.exe
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 )))))))))))))))))))))))))))))))
.

2010-03-11 19:18 . 2010-03-11 19:18 -------- d-----w- c:\program files\Trend Micro
2010-03-11 18:53 . 2010-03-11 18:53 -------- dc----w- C:\VundoFix Backups
2010-03-11 18:32 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-03-11 18:32 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-03-11 16:13 . 2010-03-11 16:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-11 15:59 . 2010-03-11 15:59 -------- d-----w- c:\documents and settings\Theresa\Application Data\Malwarebytes
2010-03-11 15:59 . 2009-12-30 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 15:59 . 2010-03-11 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-11 15:59 . 2010-03-11 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 15:59 . 2009-12-30 21:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 15:53 . 2010-03-11 16:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-08 14:20 . 2010-03-08 14:20 -------- d-----w- c:\documents and settings\Lauren\Local Settings\Application Data\Google
2010-03-02 03:54 . 2010-03-02 04:09 -------- d-----w- c:\documents and settings\Theresa\.SunDownloadManager
2010-02-15 22:11 . 2010-02-15 22:11 70648 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 20:56 . 2010-02-12 20:56 -------- d-----w- c:\program files\iPod
2010-02-12 20:56 . 2010-02-12 20:57 -------- d-----w- c:\program files\iTunes
2010-02-12 20:56 . 2010-02-12 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-12 20:54 . 2010-02-12 20:55 -------- d-----w- c:\program files\QuickTime
2010-02-12 20:49 . 2010-02-12 20:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 14:18 . 2009-11-10 13:56 79488 ----a-w- c:\documents and settings\Theresa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-08 14:25 . 2009-11-11 15:07 79488 ----a-w- c:\documents and settings\Lauren\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-08 01:55 . 2009-11-20 02:33 79488 ----a-w- c:\documents and settings\Rick\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-12 21:21 . 2008-09-16 02:11 -------- d-----w- c:\documents and settings\Theresa\Application Data\Apple Computer
2010-02-12 20:56 . 2008-09-16 02:09 -------- d-----w- c:\program files\Common Files\Apple
2010-02-12 20:53 . 2008-09-16 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-11 23:19 . 2008-08-18 14:24 110560 ----a-w- c:\documents and settings\Theresa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-06 14:14 . 2008-08-18 20:42 -------- d-----w- c:\program files\Google
2010-01-30 22:08 . 2010-01-30 22:08 -------- d-----w- c:\program files\OverDrive Media Console
2010-01-30 20:40 . 2010-01-13 03:30 34 ----a-w- c:\windows\system32\BD5250DN.DAT
2010-01-30 06:19 . 2008-08-25 02:11 -------- d-----w- c:\program files\Common Files\Skyscape
2010-01-30 06:18 . 2010-01-30 06:18 -------- d-----w- c:\program files\Microsoft.NET
2010-01-30 06:14 . 2008-08-23 16:24 111344 ----a-w- c:\documents and settings\Rick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-30 06:03 . 2010-01-30 05:33 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-30 05:15 . 2008-08-16 23:08 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-24 17:05 . 2009-06-30 23:35 -------- d-----w- c:\program files\OpenOffice.org 3
2010-01-24 17:01 . 2008-09-22 22:23 -------- d-----w- c:\program files\ahead
2010-01-24 17:01 . 2008-08-16 22:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-24 17:01 . 2009-06-04 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-01-24 16:54 . 2008-08-24 19:14 -------- d-----w- c:\program files\Coupons
2010-01-24 16:52 . 2008-10-31 16:18 -------- d-----w- c:\program files\IHMC CmapTools
2010-01-21 14:25 . 2008-10-09 21:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 19:36 . 2010-01-16 20:34 -------- d-----w- c:\program files\Craft ROBO Controller
2010-01-17 19:35 . 2009-12-19 04:05 -------- d-----w- c:\program files\ROBO Master
2010-01-16 19:40 . 2008-09-29 14:53 -------- d-----w- c:\program files\Thomson
2010-01-16 19:35 . 2009-08-09 21:24 -------- d-----w- c:\program files\eMachineShop
2010-01-16 19:35 . 2009-05-29 01:01 -------- d-----w- c:\program files\eMusic Download Manager
2010-01-16 19:35 . 2009-05-29 01:01 -------- d-----w- c:\documents and settings\Theresa\Application Data\eMusic
2010-01-13 15:45 . 2010-01-13 15:45 -------- d-----r- c:\documents and settings\Theresa\Application Data\Brother
2010-01-13 03:30 . 2010-01-13 03:30 -------- d-----w- c:\program files\Brownie
2010-01-13 03:30 . 2010-01-13 03:30 -------- d-----w- c:\program files\Brother
2010-01-13 03:30 . 2008-08-16 22:46 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-13 03:13 . 2008-08-17 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-13 03:07 . 2010-01-13 03:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-13 03:05 . 2010-01-13 03:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-31 16:50 . 2001-08-18 12:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-08-16 22:02 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-18 12:00 33280 ------w- c:\windows\system32\csrsrv.dll
.

------- Sigcheck -------

[7] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Theresa^Start Menu^Programs^Startup^Skyscape SmartUpdate.lnk]
path=c:\documents and settings\Theresa\Start Menu\Programs\Startup\Skyscape SmartUpdate.lnk
backup=c:\windows\pss\Skyscape SmartUpdate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 11:59 122880 -c--a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 02:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-07-28 22:19 4841472 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2003-07-28 22:19 49152 -c----w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-07-28 22:19 323584 -c----w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\cygwin\\bin\\rsync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/21/2010 1:05 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [9/12/2008 7:31 PM 16512]
.
Contents of the 'Scheduled Tasks' folder

2010-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 20:05]

2010-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 20:05]

2010-03-12 c:\windows\Tasks\User_Feed_Synchronization-{02F2906D-154A-4787-A518-ED7FBF0EBFFF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm025YYUS&fl=0&ptb=.JR_FG9OB5l._1KX2Dg4ag&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-NeroCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-12 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-12 09:19:05
ComboFix-quarantined-files.txt 2010-03-12 16:18

Pre-Run: 21,460,897,792 bytes free
Post-Run: 22,691,495,936 bytes free

- - End Of File - - E97491876D48F64B17E6CAB9E526D3D6

Attached Files


Edited by Noviciate, 12 March 2010 - 04:42 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:26 PM

Posted 12 March 2010 - 04:43 PM

I edited to log into your last post as it is easier for me to review.

We'll start with a little scan and see where that gets us. Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#5 brneyegirl01

brneyegirl01
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 12 March 2010 - 05:33 PM

I ran the ESET application and it found this. Do you have any suggestions? Thanks again! Theresa


C:\Qoobox\Quarantine\C\Documents and Settings\Theresa\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.CZA trojan


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:26 PM

Posted 13 March 2010 - 03:08 PM

Good evening. smile.gif

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    wscntfy.exe
    ctfmon.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#7 brneyegirl01

brneyegirl01
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 13 March 2010 - 04:22 PM

Here are the results of my System Look Log. Thanks again!


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:18 on 13/03/2010 by Theresa (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy.exe"
C:\WINDOWS\$NtServicePackUninstall$\wscntfy.exe -----c 13824 bytes [03:23 05/09/2008] [07:56 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297

Searching for "ctfmon.exe"
C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe -----c 15360 bytes [03:23 05/09/2008] [07:56 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8
C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe -----c 15360 bytes [07:56 04/08/2004] [00:12 14/04/2008] 5F1D5F88303D4A4DBC8E5F97BA967CC3

-=End Of File=-



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:26 PM

Posted 13 March 2010 - 07:10 PM

For some reason your PC is missing two files from their default location and you are short of one up-to-date backup.

Copy the following file: C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe and paste it to the following location: C:\WINDOWS\system32\ctfmon.exe.

The second file is a little more tricky as the one you do have is an old version and I don't know how your system will react to it. Do you have access to another PC with your Operating System on that is as up-to-date as yours?

So long, and thanks for all the fish.

 

 


#9 brneyegirl01

brneyegirl01
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 March 2010 - 12:12 AM

Hello,

I do have access to another computer in my home running XP Pro and it is as up to date as mine.

Thank you again for your help!



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:26 PM

Posted 15 March 2010 - 03:22 PM

Good evening. smile.gif

Excellent news. I could supply you with a copy from my machine, but I prefer you to obtain one from a source you know is 100% safe. Not that i'd give you a dodgy copy, but this way there isn't any issue, or question of one.

The file you want from your second system is C:\WINDOWS\system32\wscntfy.exe. Copy it to the same location on the PC that you are having the issues with and that should be that problem dealt with.

Let me know how you get on, not that i'm expecting any issues of course.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With regard to the detection that you mentioned in a previous post that I didn't address: C:\Qoobox\Quarantine\C\Documents and Settings\Theresa\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.CZA trojan
This is a file that ComboFix has removed and disabled by adding another file extension (.vir) to it and as such poses no threat to your PC. ESET detected it as the file is still basically malicious even though it has been deactivated by CF.


So long, and thanks for all the fish.

 

 


#11 brneyegirl01

brneyegirl01
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 March 2010 - 10:31 PM

Thank you so much for all of your help! My computer is running great. I am so grateful that there are people like you out there willing to help those of us who are not so computer savvy!!!! clapping.gif Theresa

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:26 PM

Posted 16 March 2010 - 03:35 PM

Good evening. smile.gif

What I didn't notice before and what I should have seen is a complete lack of any security programs on your machine that run in real time. If I had I would have recommended that you back up any important data and then reformat and reinstall the operating system.
The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and safest course of action.
You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC!

While I cannot make you follow the above advice with regard to the reformat, it is what I would do if this was my system and I strongly recommend you do the same.
Whether you reformat or not, you need one of each of the following:

Anti-Virus.
There are a few free ones available:

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Persona lEdition Classic : Available here

While you can try each in turn if you wish, only install one at a time as two or more running together can result in conflictions giving less, not more, protection.

Firewall.
There are a few free firewalls available, although the following isn't a complete list:

Comodo Firewall Pro, available here. This download has both a firewall and anti-virus in the same package, so be sure that you uncheck the AV option if you choose to install this one.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

Again, while you can download them all to see which one you prefer, only install one at a time - running two or more firewalls simultaneously can cause conflicts resulting in less, not more, protection.

Understand that installing an anti-virus and firewall without a reformat is rather like shutting the stable door after the horse has bolted and should in no way guarantee a clean machine.

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:26 PM

Posted 22 March 2010 - 03:39 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users