Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log, Vundo Virus, Among Others...


  • Please log in to reply
7 replies to this topic

#1 barrett101

barrett101

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 09 September 2006 - 07:23 AM

Hi, i talked with soem other people and they suggest i post this in here. I have Adaware on my computer and have done a scan with no results, the latest scan anyway. i have also downloaded stinger and scanned my system, found 1 virus which has been deleted. I also have Antivir which has detected the file fccab.dll which it recognises as the trojan virus avundo.. which i can't delte.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:42 PM, on 9/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
E:\Program Files\antivir\AntiVir PersonalEdition Classic\sched.exe
E:\Program Files\antivir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\program files\mcafee.com\agent\mcdetect.exe
E:\Program Files\antivir\AntiVir PersonalEdition Classic\avgnt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://apcstart.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;0;<local>
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wcwpwc.exe reg_run
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrde_5.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\antivir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\autorun\x86\bin\nskey.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148593956136
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - E:\Program Files\antivir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - E:\Program Files\antivir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Program Files\dopewars-1.5.10\dopewars.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

i hope someone can make sense of this...


Thanks...

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:02:46 AM

Posted 09 September 2006 - 09:47 AM

Hi barrett101 and welcome to Bleeping Computer :thumbsup:

You got infections there...

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech.

I suggest that you read this article too.

Before we can start the cleaning I need you to do something important.

Please download and install Windows XP Service Pack 1A -> Windows XP SP1a
NOTE! Do NOT install Service Pack 2 yet. We'll have to get you cleaned first

When you're ready, please rename HijackThis.exe to Scanner.exe
Then post a fresh HijackThis (scanner.exe) log to here :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 09 September 2006 - 04:24 PM

HI, Thanks for the suggestions. I think i neglected to mention my system configuration, Looking at the Microsoft site for the Sp1 update and it says system requirements are 148MB and up to 454MB during installation. Unfortunately this is on a laptop, and the hard drive has been partitioned, and starting with only 5.8GB, now the windows partition only has 168MB remaining empty, I have deleted as much as i can without going into windows and deleting files from there. So im not sure i can successfully install the updates. I might need to rollback the OS to the original windowsME (i've read that's it's not too easy to re-configure the partition, and so am hesitant to do anything there).
Lately my system seems to have a mind of it's own when comes to available space, i can check it and it will tell me there is low free space, with about 60mb and then i will re-check it 2 seconds later and it will be up to 120mb, and will keep jumping around.

Thanks for the help..

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:02:46 AM

Posted 10 September 2006 - 03:45 AM

Hi again barrett101.

Ok, the reason why I would have wanted you to update your system before the cleaning is that without the updates, the possibility of re-infection is highly possible. So there is no point in cleaning because you propably get infected again. Even with a proper firewall and antivirus you get infected since the system is vulnerable...

So what is the whole size of your HardDisk, is it 5.8GB ot is that just the windows partition?
In the last case, a reformat and repartitioning would be the best option since then you could stay clean too....

I'm sure that you have some unnecessary files that you can remove in order to make more space.

So install SP1a, when you're ready, please rename HijackThis.exe to Scanner.exe
Then post a fresh HijackThis (scanner.exe) log to here

Edited by Mr_JAk3, 10 September 2006 - 03:54 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 10 September 2006 - 04:10 AM

Hi,
Yes my hard disk is total 5.8gb. Windows partition is a whopping 1.99gb (don't ask me why it is that way, don't know).. I'm pretty much figuring that i need to reformat the whole disk and re-install windows with no partition.

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:02:46 AM

Posted 10 September 2006 - 04:28 AM

Hi again, that would be the best option.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...
  • Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

    These are good (free) firewalls:
    - Kerio
    - Sygate
    - Outpost

    These are good (free) antiviruses:
    - Antivir
    - Avast
    - AVG
  • Get all Windows updates installed!
Please ask me if you have any questions :thumbsup:

Then here are a few things that you can do in order to make your fresh computer more secure:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 10 September 2006 - 06:13 AM

Ok, looks like alot of good info. I will follow your suggestion and do the clean install. And install the protection software prior to connecting to the net. I guess while i'm at it it might be a good idea to upgrade the hard disk too.

Thanks for the help..

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:02:46 AM

Posted 10 September 2006 - 12:31 PM

I guess while i'm at it it might be a good idea to upgrade the hard disk too.

Good idea :thumbsup:

Your welcome, it is always nice to help :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users