Jump to content

Malwarebytes

Vundo Infection

- - - - -
Started by nirasoulhaste, Dec 15 2008 12:43 PM

2 replies to this topic

#1
nirasoulhaste
Posted 15 December 2008 - 12:43 PM

    New Member

  • Members
  • Pip
  • 3 posts
Hello..

My niece's pc is severely infected with what I believe is the Vundo Trojan, along with a rootkit and some other stuff.. My brother and I both took stabs at deleting this infection with Malwarebytes, HJT, and CCleaner, and nothing has worked, the same .dll files keep reappearing so they're obviously embedded somewhere, and hidden very well in the system32 folder.. Lag isnt so much of an issues since the pc only has about half a gig of RAM, but the hijacked browser and other annoyances are getting to me. My niece said she downloaded a copy of HTMLpad 2009 2 days ago on the computer from a torrent site and thats when the computer decided to go bonkers... I've since uninstalled the program, but i see the install files still there (could be the source of the problem). So instead of ripping my hair out in trying to get rid of these backdoor exploits, and rootkit trojans, we're throwing in the towel and looking for additional help

I could not get a Panda Scan because of my browser being compromised by this, and it keeps getting redirected to another site for protectionrunscanner.com And even if i try to disable the pop-up panda's site is blocked and I keep getting a connection error for the site even thou my net is ok. So hopefully the Kaspersky Scan that i was able to get is an ok substitution until i can do a panda scan...

I ran MBAM/HJT and have posted the logs below as well

Any and all help is greatly appreciated.

Thanks!

HJT:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-12-14 18:42:30
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (27%) free of 36 GB
Total RAM: 510 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:33, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

O2 - BHO: (no name) - {104bccc5-2e40-48f1-a94c-aee61e529351} - C:\WINDOWS\system32\gifepujo.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [kufafufumo] Rundll32.exe "C:\WINDOWS\system32\zigomobo.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [kufafufumo] Rundll32.exe "C:\WINDOWS\system32\zigomobo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kufafufumo] Rundll32.exe "C:\WINDOWS\system32\zigomobo.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1179849197859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1179849190859
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} - http://www-307.ibm.c...rt/IbmEgath.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\pegatijo.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4255 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
C:\WINDOWS\tasks\hiyfhxtr.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{104bccc5-2e40-48f1-a94c-aee61e529351}]
C:\WINDOWS\system32\gifepujo.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-11-26 81000]
"kufafufumo"=C:\WINDOWS\system32\zigomobo.dll []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Nora\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-12 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2005-06-21 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe [2004-08-06 442368]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2005-06-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSetup]
C:\DOCUME~1\Nora\LOCALS~1\Temp\QuickCam_11.80.1065\setup.exe /skip_all_checks /p /start /restart /l:enu []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
C:\WINDOWS\system32\ICO.EXE [2005-04-13 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Winamp Remote\bin\OrbTray.exe [2008-01-07 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-23 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-11-25 185872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe [2008-08-03 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-08-20 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
C:\PROGRA~1\LimeWire\LimeWire.exe [2008-08-21 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-10-11 22486]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
C:\PROGRA~1\WI459E~1\WINDOW~1.EXE [2008-05-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nora^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
C:\PROGRA~1\Logitech\QuickCam\eReg.exe [2008-02-13 493832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ioloDMV"=2
"CCALib8"=2
"iPod Service"=3
"Bonjour Service"=2
"Apple Mobile Device"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\pegatijo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-06-21 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2008-11-07 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\pegatijo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\AIM6\AIM6.EXE"="C:\Program Files\AIM6\AIM6.EXE:*:Enabled:AIM"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\MSN Messenger\MSNMSGR.EXE"="C:\Program Files\MSN Messenger\MSNMSGR.EXE:*:Enabled:Messenger"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Winamp Remote\bin\Orb.exe"="C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"C:\Program Files\Winamp Remote\bin\OrbTray.exe"="C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Explorer"
"C:\WINDOWS\System32\logonui.exe"="C:\WINDOWS\System32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.bat - edit -
.cmd - edit -
.inf - open -
.ini - open -
.js - edit -
.js - open - NOTEPAD.EXE %1
.reg - edit -
.reg - open - NOTEPAD.EXE %1
.scr - open - NOTEPAD.EXE %1
.txt - open -
.vbs - edit -
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2008-12-14 18:01:11 ----D---- C:\Program Files\Panda Security
2008-12-14 13:50:35 ----HD---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-14 13:30:50 ----D---- C:\Program Files\CCleaner
2008-12-14 13:16:04 ----A---- C:\WINDOWS\system32\Incinerator.dll
2008-12-14 13:15:58 ----A---- C:\WINDOWS\system32\smrgdf.exe
2008-12-14 13:15:58 ----A---- C:\WINDOWS\system32\iolobtdfg.exe
2008-12-14 13:15:52 ----D---- C:\Program Files\iolo
2008-12-14 13:13:16 ----D---- C:\Documents and Settings\Administrator\Application Data\iolo
2008-12-13 19:48:48 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-12-13 19:44:54 ----D---- C:\Documents and Settings\Administrator\Application Data\Logitech
2008-12-13 19:23:00 ----A---- C:\rapport2.txt
2008-12-13 19:18:12 ----A---- C:\WINDOWS\system32\tmp.txt
2008-12-13 19:17:57 ----A---- C:\rapport.txt
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\VACFix.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\swxcacls.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\swsc.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\swreg.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\Process.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\o4Patch.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\IEDFix.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\dumphive.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2008-12-13 19:17:31 ----A---- C:\WINDOWS\system32\404Fix.exe
2008-12-13 19:16:04 ----D---- C:\WINDOWS\CSC
2008-12-13 18:50:56 ----SHD---- C:\FOUND.005
2008-12-13 16:27:14 ----D---- C:\Documents and Settings\Administrator\Application Data\Windows Search
2008-12-13 16:12:09 ----D---- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
2008-12-13 15:59:13 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-12-13 15:50:39 ----A---- C:\gqstsqym.exe
2008-12-13 15:48:51 ----A---- C:\WINDOWS\system32\geBrOhFy.dll
2008-12-13 15:48:19 ----A---- C:\WINDOWS\system32\nokye.exe
2008-12-13 08:28:47 ----HD---- C:\WINDOWS\$NtUninstallWdf01005$
2008-12-13 08:27:29 ----A---- C:\WINDOWS\system32\BtCoreIf.dll
2008-12-13 08:27:24 ----A---- C:\WINDOWS\system32\KemXML.dll
2008-12-13 08:27:24 ----A---- C:\WINDOWS\system32\KemWnd.dll
2008-12-13 08:27:24 ----A---- C:\WINDOWS\system32\KemUtil.dll
2008-12-13 08:27:24 ----A---- C:\WINDOWS\system32\kemutb.dll
2008-12-12 04:03:30 ----HD---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 04:00:43 ----HD---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 04:00:38 ----HD---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 04:00:25 ----HD---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-02 23:45:10 ----D---- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-12-02 23:05:58 ----D---- C:\Program Files\Messenger Plus! Live
2008-11-28 17:56:11 ----D---- C:\Program Files\iPod
2008-11-28 17:55:58 ----D---- C:\Program Files\iTunes
2008-11-28 17:55:58 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 17:54:39 ----D---- C:\Program Files\Bonjour
2008-11-28 17:53:08 ----D---- C:\Program Files\QuickTime
2008-11-26 07:32:34 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-11-26 07:32:31 ----D---- C:\Program Files\Viewpoint
2008-11-26 07:32:31 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-11-25 10:13:19 ----D---- C:\Program Files\Common Files\xing shared
2008-11-25 10:13:12 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-11-25 10:13:03 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-11-25 10:13:03 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-11-25 10:13:02 ----D---- C:\Program Files\Real
2008-11-25 10:13:02 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-11-25 10:12:59 ----D---- C:\Program Files\Common Files\Real
2008-11-25 08:23:42 ----D---- C:\Program Files\Creative
2008-11-25 08:23:42 ----A---- C:\WINDOWS\system32\eax.dll
2008-11-25 08:13:05 ----D---- C:\Program Files\Eidos Interactive
2008-11-24 20:28:12 ----D---- C:\Program Files\Common Files\Download Manager
2008-11-23 10:44:23 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-23 10:44:23 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-23 10:44:23 ----A---- C:\WINDOWS\system32\java.exe
2008-11-23 10:44:23 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-22 11:34:14 ----D---- C:\Program Files\JRE
2008-11-22 11:34:07 ----D---- C:\Program Files\OpenOffice.org 3
2008-11-16 13:21:24 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-16 12:43:23 ----D---- C:\Program Files\ICQ6
2008-11-16 11:27:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

======List of files/folders modified in the last 1 months======

2008-12-14 18:31:50 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-13 19:44:24 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-13 19:17:04 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-13 18:44:26 ----RASH---- C:\BOOT.INI
2008-12-13 18:44:26 ----A---- C:\WINDOWS\win.ini
2008-12-13 18:44:26 ----A---- C:\WINDOWS\system.ini
2008-12-13 08:28:56 ----A---- C:\WINDOWS\imsins.BAK
2008-11-26 12:21:30 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-11-24 20:30:28 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-11-26 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-11-26 111184]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-11-26 50864]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 pelmouse;Mouse Suite Driver; C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-11-26 94032]
R2 LBeepKE;LBeepKE; C:\WINDOWS\System32\Drivers\LBeepKE.sys [2008-09-26 10384]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-10-23 100384]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-11-26 23152]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2007-11-16 165496]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-06-21 807998]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-09-26 20240]
R3 lvpopflt;Logitech POP Suppression Filter; C:\WINDOWS\system32\DRIVERS\lvpopflt.sys [2008-07-26 95384]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2008-07-26 25624]
R3 LVRS;Logitech RightSound Filter Driver; C:\WINDOWS\system32\DRIVERS\lvrs.sys [2008-07-26 627864]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2008-07-26 41752]
R3 LVUVC;Logitech QuickCam Pro 5000(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys [2008-07-26 4658584]
R3 pelps2m;PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\pelps2m.sys [2003-01-20 18048]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2006-09-12 28224]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-10-27 578432]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-10-16 91678]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-10-16 71514]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 EGATHDRV;IBM Access Support; \??\C:\WINDOWS\Downloaded Program Files\EGATHDRV.SYS []
S3 FilterService;UVC Filter Service; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys [2008-07-26 23832]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-09-26 35472]
S3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-09-26 37392]
S3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-09-26 28816]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-07-09 10112]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2005-05-26 21344]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2005-05-26 38144]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2005-06-24 39036]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-26 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-26 155160]
R2 ioloFileInfoList;iolo FileInfoList Service; C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-12-04 596336]
R2 ioloSystemService;iolo System Service; C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-12-04 596336]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2008-07-26 150040]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-26 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-26 352920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S4 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-23 152984]
S4 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe [2008-11-07 121360]
S4 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2008-07-26 186904]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2007-06-05 177704]
S4 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]

-----------------EOF-----------------

MBAM:


Malwarebytes' Anti-Malware 1.30
Database version: 1402
Windows 5.1.2600 Service Pack 3

12/15/2008 7:33:06 AM
mbam-log-2008-12-15 (07-33-00).txt

Scan type: Quick Scan
Objects scanned: 60432
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\webogori.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\vonineye.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34401059 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm377323c5 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kufafufumo (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\vonineye.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\vonineye.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ganafihe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ehifanag.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\webogori.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\irogobew.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\vonineye.dll (Trojan.BHO) -> No action taken.



Kaspersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 14, 2008 20:58:20
Records in database: 1461208
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 85009
Threat name: 8
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 01:48:43


File name / Threat name / Threats count
C:\IBMWORK\2GXSM0A\PLSREM~1.EXE Infected: not-a-virus:RemoteAdmin.Win32.PLSRemot 1
C:\WINDOWS\system32\drivers\80024307.sys Infected: Rootkit.Win32.Agent.fkl 1
C:\WINDOWS\system32\geBrOhFy.dll Infected: Trojan-Downloader.Win32.Agent.aubk 1
C:\Documents and Settings\Nora\My Documents\Incomplete\T-3545425-wave of mutilation.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Nora\My Documents\Downloads\Blumentals.HTMLPad.2008.Pro.v9.3.0.101.WinAll.Retail-CRD\BLUMENT.HTMPAD.2008.PRO.9.3.0.101.CRD\htmlpad9_full.exe Infected: Backdoor.Win32.Bifrose.agas 1
C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP61\A0014954.sys Infected: Backdoor.Win32.TDSS.bkw 1
C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP61\A0014956.dll Infected: Trojan.Win32.Agent.arvz 1
C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP61\A0014981.sys Infected: Rootkit.Win32.Protector.bd 1

The selected area was scanned.

#2
nirasoulhaste
Posted 15 December 2008 - 12:47 PM

    New Member

  • Members
  • Pip
  • 3 posts
oh and with the panda scan.. I was able to get to the website on another browser, but once i start the scan it stops and freezes after 2 or 3 minutes, and then nothing happens whatsoever after waiting for another 10 mins or so...

#3
nirasoulhaste
Posted 15 December 2008 - 08:47 PM

    New Member

  • Members
  • Pip
  • 3 posts
Please close this thread. I managed to resolve my issue and removed Vundo and other traces of malware from my system, myself.


Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/15/2008 3:40:32 PM
mbam-log-2008-12-15 (15-40-32).txt

Scan type: Quick Scan
Objects scanned: 58821
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us