Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1] 2  All   Go Down

Author Topic: Very bad Vundo-variant attack!  (Read 15391 times)

0 Members and 1 Guest are viewing this topic.

saltydogs

    Topic Starter


    Rookie

    Very bad Vundo-variant attack!
    « on: May 28, 2008, 12:47:37 AM »
    PC has been infected. Antivir picked up a Trojan. Computer not working right.
    Task manager has been disabled. C: drive has disappeared from the My Computer folder.
    VIRUS ALERT and strange icons invaded taskbar.


    Running Windows XP SP2. 
    Required logs attached.

    Thank you for your time.

    Malwarebytes' Anti-Malware 1.12                 
    Database version: 793 
     
    Scan type: Full Scan (C:\|) 
    Objects scanned: 141742 
    Time elapsed: 1 hour(s), 0 minute(s), 45 second(s) 
     
    Memory Processes Infected: 0 
    Memory Modules Infected: 1 
    Registry Keys Infected: 16 
    Registry Values Infected: 3 
    Registry Data Items Infected: 0 
    Folders Infected: 0 
    Files Infected: 5 
     
    Memory Processes Infected: 
    (No malicious items detected) 
     
    Memory Modules Infected: 
    C:\WINDOWS\SYSTEM32\ktadwdxj.dll (Trojan.Vundo) -> Unloaded module successfully. 
     
    Registry Keys Infected: 
    HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. 
    HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. 
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. 
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. 
    HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. 
    HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. 
    HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. 
    HKEY_CLASSES_ROOT\CLSID\{1d66eeba-b182-4fc3-b219-c20ccdc81df7} (Trojan.FakeAlert) -> Quarantined and deleted successfully. 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d66eeba-b182-4fc3-b219-c20ccdc81df7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\atfxqogp.bore (Trojan.FakeAlert) -> Quarantined and deleted successfully. 
    HKEY_CLASSES_ROOT\atfxqogp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. 
    HKEY_CURRENT_USER\Software\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully. 
     
    Registry Values Infected: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49523b3e (Trojan.Vundo) -> Quarantined and deleted successfully. 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vltdfabw (Trojan.FakeAlert) -> Quarantined and deleted successfully. 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vregfwlx (Trojan.FakeAlert) -> Quarantined and deleted successfully. 
     
    Registry Data Items Infected: 
    (No malicious items detected) 
     
    Folders Infected: 
    (No malicious items detected) 
     
    Files Infected: 
    C:\WINDOWS\SYSTEM32\ktadwdxj.dll (Trojan.Vundo) -> Delete on reboot. 
    C:\WINDOWS\SYSTEM32\jxdwdatk.ini (Trojan.Vundo) -> Quarantined and deleted successfully. 
    C:\WINDOWS\xmpstean.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. 
    C:\WINDOWS\boqnrwdmxak.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. 
    C:\WINDOWS\tmlpcert2005 (Adware.EGDAccess) -> Quarantined and deleted successfully. 


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 05/27/2008 at 06:13 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3468
    Trace Rules Database Version: 1459

    Scan type       : Complete Scan
    Total Scan Time : 06:05:17

    Memory items scanned      : 380
    Memory threats detected   : 3
    Registry items scanned    : 5901
    Registry threats detected : 29
    File items scanned        : 28380
    File threats detected     : 8

    Adware.Vundo Variant/Resident
       C:\WINDOWS\SYSTEM32\SSQPGHBB.DLL
       C:\WINDOWS\SYSTEM32\SSQPGHBB.DLL

    Adware.VideoAccessCodec/Gen
       C:\WINDOWS\VREGFWLX.DLL
       C:\WINDOWS\VREGFWLX.DLL

    Adware.Vundo-Variant/J
       C:\WINDOWS\VLTDFABW.DLL
       C:\WINDOWS\VLTDFABW.DLL

    Trojan.Vundo-Variant/Small
       HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09ADE64C-F03B-46E8-8142-C4BE50F289EB}
       HKCR\CLSID\{09ADE64C-F03B-46E8-8142-C4BE50F289EB}
       HKCR\CLSID\{09ADE64C-F03B-46E8-8142-C4BE50F289EB}\InprocServer32
       HKCR\CLSID\{09ADE64C-F03B-46E8-8142-C4BE50F289EB}\InprocServer32#ThreadingModel

    Trojan.Unclassified/GTS
       HKLM\Software\Microsoft\Internet Explorer\Toolbar#{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}\InprocServer32
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}\InprocServer32#ThreadingModel
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}\ProgID
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}\Programmable
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}\TypeLib
       HKCR\CLSID\{5BAD7AAD-2121-49AB-8C4B-E175BD23E820}\VersionIndependentProgID
       HKCR\atfxqogp.1
       HKCR\atfxqogp
       HKCR\TypeLib\{17E301A6-F80F-4856-9243-A80AFD2DE075}
       HKCR\TypeLib\{17E301A6-F80F-4856-9243-A80AFD2DE075}\1.0
       HKCR\TypeLib\{17E301A6-F80F-4856-9243-A80AFD2DE075}\1.0\0
       HKCR\TypeLib\{17E301A6-F80F-4856-9243-A80AFD2DE075}\1.0\0\win32
       HKCR\TypeLib\{17E301A6-F80F-4856-9243-A80AFD2DE075}\1.0\FLAGS
       HKCR\TypeLib\{17E301A6-F80F-4856-9243-A80AFD2DE075}\1.0\HELPDIR
       C:\WINDOWS\ATFXQOGP.DLL

    Adware.IWantSearchBar
       HKU\S-1-5-21-796845957-573735546-1801674531-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

    Adware.Tracking Cookie
       C:\Documents and Settings\The Hoaglands\Cookies\[email protected][1].txt

    Browser Hijacker.Internet Explorer Settings Hijack
       HKU\S-1-5-21-796845957-573735546-1801674531-1004\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 ]

    Desktop Hijacker.AboutYourPrivacy
       C:\Documents and Settings\The Hoaglands\Favorites\Error Cleaner.url
       C:\Documents and Settings\The Hoaglands\Favorites\Privacy Protector.url
       C:\Documents and Settings\The Hoaglands\Favorites\Spyware&Malware Protection.url

    Trojan.Net-MU/Gen
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#DisplayName
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#uninstallString

    Adware.Vundo Variant/Rel
       HKLM\SOFTWARE\Microsoft\aoprndtws
       HKLM\SOFTWARE\Microsoft\RemoveRP
       HKU\S-1-5-21-796845957-573735546-1801674531-1004\Software\Microsoft\rdfa


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 02:23: VIRUS ALERT!, on 5/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on DISH] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P39 "Auto EPSON Stylus CX3800 Series on DISH" /O15 "\\DISH\EPSONSty" /M "Stylus CX3800"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - DefaultPrefix:
    O15 - Trusted Zone: *.fnismls.com
    O15 - Trusted Zone: *.getmedianow.com
    O15 - Trusted Zone: *.live.com
    O15 - Trusted Zone: *.showingtime.com
    O15 - Trusted Zone: *.sitexdata.com
    O15 - Trusted Zone: *.spellchecker.net
    O15 - Trusted Zone: *.transactionpoint.com
    O15 - Trusted Zone: *.trpoint.com
    O15 - Trusted Zone: *.virtualearth.net
    O16 - DPF: ConferenceRoom Java Client - http://java.financialchat.com:8000/java/cr.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://coop.mlxchange.com/Control/FileCruiser.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://24.75.126.108/install/PMSImage.ocx
    O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://coop.mlxchange.com/Control/Specfile.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://coop.mlxchange.com/Control/SISC.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
    O16 - DPF: {4063B398-3FC7-433E-B23B-0460CE7EDC27} (MaxisMakinMagicTeleX Control) - http://thesims.ea.com/teleport/makinmagic/MaxisMakinMagicTeleX.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://coop.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://coop.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
    O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://coop.mlxchange.com/Control/LiteGrid.cab
    O16 - DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} (IRCWwwPrint Class) - http://coop.mlxchange.com/Control/IRCWebPrint.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://ctmls.mlxchange.com/4.2.06.26/Control/IRCSharc.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1211955591_0bef0b16a370840ba69aa7314db5214e&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.ct-mls.com/dss/ENUclientPro.cab
    O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://coop.mlxchange.com/Control/WebDog.cab
    O16 - DPF: {BC8E0F3E-2A7F-11D4-A0F2-0001022F24B8} (LIte Class) - http://coop.mlxchange.com/Components/OutlookXtract.cab
    O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://coop.mlxchange.com/Components/MPGridControl.cab
    O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://coop.mlxchange.com/Control/AspCustomCtrls.cab
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    O24 - Desktop Component 0: (no name) - http://a712.g.akamai.net/7/712/225/20020411162248/www.eastbay.com/images/products/large/02723297_l.jpg
    O24 - Desktop Component 1: (no name) - http://a712.g.akamai.net/7/712/225/20010509142356/www.eastbay.com/images/products/large/17321101_l.jpg
    O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/

    --
    End of file - 10014 bytes

    Logged

    evilfantasy

    • Malware Removal Specialist
    • Moderator


      • Genius
    • Calm like a bomb
      • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: Very bad Vundo-variant attack!
    « Reply #1 on: May 28, 2008, 12:53:51 AM »
    Welcome to CH :)

    Looks like a lot was cleaned up but there is still work to do.

    Download SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Now then reboot your computer in Safe Mode by doing the following:

    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard).
    • Finally add the contents of the Report.txt in your next post.
    If SDFix won't run or you get errors, follow the link for instructions on running SDFix. How to use SDFix

    Also run a new Hijackthis scan and post that log along with the SDFix log.
    Logged

    saltydogs

      Topic Starter


      Rookie

      Re: Very bad Vundo-variant attack!
      « Reply #2 on: May 28, 2008, 02:39:56 AM »
      OK. SDFix and HJT logs attached.


      SDFix: Version 1.186
      Run by Administrator on Wed 05/28/2008 at 03:15 AM

      Microsoft Windows XP [Version 5.1.2600]
      Running From: C:\SDFix

      Checking Services :


      Restoring Windows Registry Values
      Restoring Windows Default Hosts File

      Rebooting


      Checking Files :

      No Trojan Files Found






      Removing Temp Files

      ADS Check :
       


                                       Final Check :

      catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-05-28 03:38:06
      Windows 5.1.2600 Service Pack 2 FAT NTAPI

      scanning hidden processes ...

      scanning hidden services ...

      scanning hidden autostart entries ...

      scanning hidden files ...

      scan completed successfully
      hidden processes: 0
      hidden services: 0
      hidden files: 0


      Remaining Services :




      Authorized Application Key Export:

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
      "C:\\Program Files\\Lemonade Tycoon 2\\Lemonade2.exe"="C:\\Program Files\\Lemonade Tycoon 2\\Lemonade2.exe:*:Disabled:Lemonade2"
      "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
      "C:\\Program Files\\REAL\\RealOne Player\\REALPLAY.EXE"="C:\\Program Files\\REAL\\RealOne Player\\REALPLAY.EXE:*:Enabled:RealOne Player"
      "C:\\Program Files\\Windows Media Player\\WMPLAYER.EXE"="C:\\Program Files\\Windows Media Player\\WMPLAYER.EXE:*:Enabled:Windows Media Player"
      "C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
      "C:\\Program Files\\Charter High-Speed Security Suite\\backweb\\3528733\\Program\\fspex.exe"="C:\\Program Files\\Charter High-Speed Security Suite\\backweb\\3528733\\Program\\fspex.exe:*:Enabled:Charter High-Speed Security Suite"
      "C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"="C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe:*:Enabled:Rio Music Manager"
      "C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
      "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
      "C:\\WINDOWS\\System32\\iPODService.exe"="C:\\WINDOWS\\System32\\iPODService.exe:*:Enabled:iPODService"
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
      "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
      "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
      "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
      "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
      "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
      "C:\\WINDOWS\\System32\\mmc.exe"="C:\\WINDOWS\\System32\\mmc.exe:*:Enabled:Microsoft Management Console"

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
      "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
      "C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

      Remaining Files :


      File Backups: - C:\SDFix\backups\backups.zip

      Files with Hidden Attributes :

      Fri 29 Mar 2002         1,694 ..SHR --- "C:\MSDOS.BAK"
      Fri 29 Mar 2002           179 ..SH. --- "C:\AUTOEXEC.BAK"
      Sat 20 Nov 2004         1,682 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
      Sat 20 Nov 2004            56 ..SHR --- "C:\WINDOWS\SYSTEM32\8DCA1CC71F.sys"
      Wed 13 Oct 2004     1,694,208 ...H. --- "C:\Program Files\Messenger\msmsgs.exe"
      Fri 13 Jun 2003         4,348 ..SH. --- "C:\WINDOWS\All Users\DRM\DRMv1.bak"
      Mon 14 Mar 2005       299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\Maint.exe"
      Mon 28 Feb 2005        61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\uinstrsc.dll"
      Sat 14 Apr 2007        88,576 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL0001.tmp"
      Mon 16 Apr 2007        87,552 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL0155.tmp"
      Mon 16 Apr 2007        88,576 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL2287.tmp"
      Mon 16 Apr 2007        89,088 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL2135.tmp"
      Mon 16 Apr 2007        90,112 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL1327.tmp"
      Mon 16 Apr 2007        89,600 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL0894.tmp"
      Mon 16 Apr 2007        89,600 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL3255.tmp"
      Mon 16 Apr 2007        88,576 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL2271.tmp"
      Mon 16 Apr 2007        88,064 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL3014.tmp"
      Mon 16 Apr 2007        88,064 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL1947.tmp"
      Mon 16 Apr 2007        88,064 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL1341.tmp"
      Mon 16 Apr 2007        88,064 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL0002.tmp"
      Mon 16 Apr 2007        88,064 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL0005.tmp"
      Mon 16 Apr 2007        88,064 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL1821.tmp"
      Mon 16 Apr 2007        88,064 ...H. --- "C:\Documents and Settings\The Hoaglands\My Documents\~WRL3267.tmp"
      Wed  7 May 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp"
      Thu 15 May 2003        43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

      Finished!


      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 04:39: VIRUS ALERT!, on 5/28/2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16640)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
      C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
      C:\WINDOWS\system32\WgaTray.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
      C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\WINDOWS\explorer.exe
      C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on DISH] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P39 "Auto EPSON Stylus CX3800 Series on DISH" /O15 "\\DISH\EPSONSty" /M "Stylus CX3800"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
      O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
      O13 - DefaultPrefix:
      O15 - Trusted Zone: *.fnismls.com
      O15 - Trusted Zone: *.getmedianow.com
      O15 - Trusted Zone: *.live.com
      O15 - Trusted Zone: *.showingtime.com
      O15 - Trusted Zone: *.sitexdata.com
      O15 - Trusted Zone: *.spellchecker.net
      O15 - Trusted Zone: *.transactionpoint.com
      O15 - Trusted Zone: *.trpoint.com
      O15 - Trusted Zone: *.virtualearth.net
      O16 - DPF: ConferenceRoom Java Client - http://java.financialchat.com:8000/java/cr.cab
      O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
      O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
      O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://coop.mlxchange.com/Control/FileCruiser.cab
      O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
      O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://24.75.126.108/install/PMSImage.ocx
      O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://coop.mlxchange.com/Control/Specfile.cab
      O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
      O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://coop.mlxchange.com/Control/SISC.cab
      O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
      O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
      O16 - DPF: {4063B398-3FC7-433E-B23B-0460CE7EDC27} (MaxisMakinMagicTeleX Control) - http://thesims.ea.com/teleport/makinmagic/MaxisMakinMagicTeleX.cab
      O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://coop.mlxchange.com/Control/MultiSelectComboBox.cab
      O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab
      O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
      O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://coop.mlxchange.com/Control/MLXClientUtils.cab
      O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
      O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://coop.mlxchange.com/Control/LiteGrid.cab
      O16 - DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} (IRCWwwPrint Class) - http://coop.mlxchange.com/Control/IRCWebPrint.cab
      O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://ctmls.mlxchange.com/4.2.06.26/Control/IRCSharc.cab
      O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1211955591_0bef0b16a370840ba69aa7314db5214e&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
      O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
      O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
      O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.ct-mls.com/dss/ENUclientPro.cab
      O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://coop.mlxchange.com/Control/WebDog.cab
      O16 - DPF: {BC8E0F3E-2A7F-11D4-A0F2-0001022F24B8} (LIte Class) - http://coop.mlxchange.com/Components/OutlookXtract.cab
      O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://coop.mlxchange.com/Components/MPGridControl.cab
      O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://coop.mlxchange.com/Control/AspCustomCtrls.cab
      O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
      O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
      O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
      O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
      O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
      O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
      O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
      O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
      O24 - Desktop Component 0: (no name) - http://a712.g.akamai.net/7/712/225/20020411162248/www.eastbay.com/images/products/large/02723297_l.jpg
      O24 - Desktop Component 1: (no name) - http://a712.g.akamai.net/7/712/225/20010509142356/www.eastbay.com/images/products/large/17321101_l.jpg
      O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/

      --
      End of file - 10025 bytes
      Logged

      evilfantasy

      • Malware Removal Specialist
      • Moderator


        • Genius
      • Calm like a bomb
        • Thanked: 493
      • Experience: Experienced
      • OS: Windows 11
      Re: Very bad Vundo-variant attack!
      « Reply #3 on: May 28, 2008, 10:53:36 AM »
      Malware will use Trusted Zones as a gateway to infect a PC so we need to fix those.

      Open Hijackthis and select Do a system scan only.

      Place a check mark next to the following entries: (if there)

      - O13 - DefaultPrefix:
      - O15 - Trusted Zone: *.fnismls.com
      - O15 - Trusted Zone: *.getmedianow.com
      - O15 - Trusted Zone: *.live.com
      - O15 - Trusted Zone: *.showingtime.com
      - O15 - Trusted Zone: *.sitexdata.com
      - O15 - Trusted Zone: *.spellchecker.net
      - O15 - Trusted Zone: *.transactionpoint.com
      - O15 - Trusted Zone: *.trpoint.com
      - O15 - Trusted Zone: *.virtualearth.net

      Important: Close all windows except for Hijackthis and then click Fix checked.

      Exit Hijackthis.

      ----------

      Download Vundofix.exe to your desktop.

      Important! If using Windows Vista be sure to Run As Administrator

      • Double-click VundoFix.exe to run it.
      • When VundoFix opens, click the Scan for Vundo button.
      • Once it's done scanning, click the Remove Vundo button.
      • You will receive a prompt asking if you want to remove the files, click YES
      • Once you click yes, your desktop will go blank as it starts removing Vundo.
      • When completed, it will prompt that it will shutdown your computer, click OK.
      • Turn your computer back on.
      • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
      Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

      If you receive this error: "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid", a new copy and instructions on where to put it can be found here

      Please let VundoFix finish, sometimes it can take multiple passes

      ---------

      Next post
      Vundofix log

      Also let me know how things are now.

      Did you add these yourself? If not Have Hijackthis fix any you didn't add.

      - O24 - Desktop Component 0: (no name) - http://a712.g.akamai.net/7/712/225/20020411162248/www.eastbay.com/images/product s/large/02723297_l.jpg

      - O24 - Desktop Component 1: (no name) - http://a712.g.akamai.net/7/712/225/20010509142356/www.eastbay.com/images/product s/large/17321101_l.jpg

      - O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/
      Logged

      saltydogs

        Topic Starter


        Rookie

        Re: Very bad Vundo-variant attack!
        « Reply #4 on: May 28, 2008, 11:49:16 AM »
        Thanks for the reponse!

        The VundoFix scan found no files to fix. I did a search for the .txt file but no luck.
        My major problems are:
        I do not have the C: drive listed in Start Menu-> My Computer, nor do I have My Programs-they have disappeared.
        Also, my typical taskbar icons are gone. The only icon showing directs me to "Windows Genuine Advantage"-Unable to complete genuine windows validation, Click here to get help with this problem. Which I have never seen before and will not click on it.

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 13:39: VIRUS ALERT!, on 5/28/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v7.00 (7.00.6000.16640)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
        C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
        C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
        C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
        C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\WINDOWS\system32\WgaTray.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
        O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
        O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
        O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on DISH] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P39 "Auto EPSON Stylus CX3800 Series on DISH" /O15 "\\DISH\EPSONSty" /M "Stylus CX3800"
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
        O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
        O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
        O16 - DPF: ConferenceRoom Java Client - http://java.financialchat.com:8000/java/cr.cab
        O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
        O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
        O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://coop.mlxchange.com/Control/FileCruiser.cab
        O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
        O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://24.75.126.108/install/PMSImage.ocx
        O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://coop.mlxchange.com/Control/Specfile.cab
        O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
        O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://coop.mlxchange.com/Control/SISC.cab
        O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
        O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
        O16 - DPF: {4063B398-3FC7-433E-B23B-0460CE7EDC27} (MaxisMakinMagicTeleX Control) - http://thesims.ea.com/teleport/makinmagic/MaxisMakinMagicTeleX.cab
        O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://coop.mlxchange.com/Control/MultiSelectComboBox.cab
        O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab
        O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
        O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://coop.mlxchange.com/Control/MLXClientUtils.cab
        O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
        O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://coop.mlxchange.com/Control/LiteGrid.cab
        O16 - DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} (IRCWwwPrint Class) - http://coop.mlxchange.com/Control/IRCWebPrint.cab
        O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://ctmls.mlxchange.com/4.2.06.26/Control/IRCSharc.cab
        O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1211955591_0bef0b16a370840ba69aa7314db5214e&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
        O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
        O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
        O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
        O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.ct-mls.com/dss/ENUclientPro.cab
        O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://coop.mlxchange.com/Control/WebDog.cab
        O16 - DPF: {BC8E0F3E-2A7F-11D4-A0F2-0001022F24B8} (LIte Class) - http://coop.mlxchange.com/Components/OutlookXtract.cab
        O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://coop.mlxchange.com/Components/MPGridControl.cab
        O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://coop.mlxchange.com/Control/AspCustomCtrls.cab
        O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
        O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
        O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
        O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
        O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
        O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
        O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
        O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
        O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
        O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/

        --
        End of file - 9118 bytes
        Logged

        evilfantasy

        • Malware Removal Specialist
        • Moderator


          • Genius
        • Calm like a bomb
          • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: Very bad Vundo-variant attack!
        « Reply #5 on: May 28, 2008, 12:08:56 PM »
        Download Combofix by sUBs from one of the below links.
        (Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.
        • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
        • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
          • Click this link to see a list of security programs that should be disabled and how to disable them.
          • If yours is not listed and you don't know how to disable it, please ask.
        • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
        • Double click combofix.exe & follow the prompts.
          • Choose Yes to accept the Disclaimers.
          • When finished, it will produce a log for you.
          • Post that log in your next reply.
          Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
          • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
          • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
          CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

          If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly.
          Logged

          saltydogs

            Topic Starter


            Rookie

            Re: Very bad Vundo-variant attack!
            « Reply #6 on: May 28, 2008, 12:35:01 PM »
            ComboFix log follows-

            ComboFix 08-05-27.4 - The Hoaglands 2008-05-28 14:19:50.1 - FAT32x86
            Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.201 [GMT -4:00]
            Running from: C:\Documents and Settings\The Hoaglands\Desktop\ComboFix.exe
             * Created a new restore point

            WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
            .

            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            C:\update.exe
            C:\WINDOWS\Downloaded Program Files\setup.inf
            C:\WINDOWS\start.exe
            C:\WINDOWS\SYSTEM32\bbHgPqss.ini
            C:\WINDOWS\SYSTEM32\bbHgPqss.ini2
            C:\WINDOWS\SYSTEM32\gcfxuans.ini
            C:\WINDOWS\Web\default.htt

            .
            (((((((((((((((((((((((((   Files Created from 2008-04-28 to 2008-05-28  )))))))))))))))))))))))))))))))
            .

            2008-05-28 03:09 . 2008-05-28 03:09   <DIR>   d--------   C:\WINDOWS\ERUNT
            2008-05-28 03:00 . 2008-05-27 03:12   <DIR>   d--------   C:\SDFix
            2008-05-28 01:24 . 2008-05-28 01:24   <DIR>   d--------   C:\Deckard
            2008-05-27 23:35 . 2008-05-27 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
            2008-05-27 23:35 . 2008-05-27 23:35   <DIR>   d--------   C:\Documents and Settings\The Hoaglands\Application Data\Malwarebytes
            2008-05-27 23:35 . 2008-05-27 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
            2008-05-27 23:35 . 2008-05-05 20:46   27,048   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
            2008-05-27 23:35 . 2008-05-05 20:46   15,864   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
            2008-05-27 18:30 . 2008-05-27 18:30   <DIR>   d--------   C:\Program Files\Trend Micro
            2008-05-27 18:07 . 2008-05-27 18:07   <DIR>   d--------   C:\VundoFix Backups
            2008-05-27 11:41 . 2008-05-27 11:41   <DIR>   d--------   C:\Documents and Settings\The Hoaglands\Application Data\TmpRecentIcons
            2008-05-27 10:35 . 2008-05-27 08:14   94,208   --a------   C:\WINDOWS\efpn.exe
            2008-05-23 16:14 . 2008-05-23 16:14   45,490   --a------   C:\stream.bin
            2008-05-23 15:18 . 2008-05-23 15:18   <DIR>   d--------   C:\SIERRA
            2008-05-23 15:16 . 2008-05-23 15:16   88   --a------   C:\WINDOWS\SIERRA.INI
            2008-05-20 15:18 . 2008-05-20 15:18   <DIR>   d--------   C:\Program Files\Google
            2008-04-28 19:56 . 2008-04-28 19:56   <DIR>   d--------   C:\Documents and Settings\The Hoaglands\Application Data\EPSON

            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2008-03-27 08:12   151,583   ----a-w   C:\WINDOWS\SYSTEM32\msjint40.dll
            2008-03-27 08:12   151,583   ------w   C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
            2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\SYSTEM32\win32k.sys
            2008-03-19 09:47   1,845,248   ------w   C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
            2008-03-01 22:36   3,591,680   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
            2008-02-29 08:55   70,656   ------w   C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
            2008-02-29 08:55   625,664   ------w   C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
            2005-09-14 20:53   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050914_205300.sql
            2005-08-13 15:06   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050813_150631.sql
            2005-06-23 17:20   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050623_172054.sql
            2005-05-28 01:54   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050528_015443.sql
            2005-03-26 19:20   21   ----a-w   C:\Program Files\AVPersonalAVWIN.INI
            2005-03-11 16:16   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050311_171640.sql
            2005-02-25 21:42   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050225_224200.sql
            2005-02-25 17:10   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050225_181034.sql
            2005-02-25 15:32   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050225_163254.sql
            2004-08-12 05:37   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20040812_053744.sql
            2004-05-31 12:58   37,634   ----a-w   C:\Documents and Settings\The Hoaglands\raw101.exe
            2004-04-19 20:34   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20040419_203424.sql
            2004-03-29 16:04   131,072   ----a-w   C:\Program Files\fsuninst.ENG
            2003-03-07 01:17   2,765   ----a-w   C:\Program Files\Common Files\AutoUpdate.rtf
            2003-01-27 15:50   1,000,448   ----a-w   C:\Program Files\Common Files\AutoUpdate.exe
            2002-03-29 23:18   266   --sh--w   C:\Program Files\desktop.ini
            2002-03-29 23:18   11,079   ---h--w   C:\Program Files\folder.htt
            2002-02-08 17:13   8,527,672   ----a-w   C:\Program Files\PLuSExpress.exe
            2001-11-17 00:25   73,728   ----a-w   C:\Documents and Settings\The Hoaglands\Setup.exe
            2001-11-17 00:25   650   ----a-w   C:\Documents and Settings\The Hoaglands\LAYOUT.BIN
            2001-11-17 00:25   450   ----a-w   C:\Documents and Settings\The Hoaglands\OS.DAT
            2001-11-17 00:25   34,816   ----a-w   C:\Documents and Settings\The Hoaglands\_Setup.dll
            2001-11-17 00:25   27,648   ----a-w   C:\Documents and Settings\The Hoaglands\_ISDel.exe
            2001-11-17 00:25   23,541   ----a-w   C:\Documents and Settings\The Hoaglands\LANG.DAT
            2001-10-16 17:48   51,072   ----a-w   C:\Documents and Settings\The Hoaglands\EUSBMSD.sys
            2004-11-20 17:16   1,682   --sha-w   C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
            2004-11-20 17:16   56   --sh--r   C:\WINDOWS\SYSTEM32\8DCA1CC71F.sys
            .

            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4

            [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
            @={7D688A77-C613-11D0-999B-00C04FD655E1}

            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 16:00 262401]
            "Auto EPSON Stylus CX3800 Series on DISH"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-07 23:00 98304]

            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
            "{27796771-8D05-4EE6-B478-43CE759F2106}"= C:\WINDOWS\system32\rqRJYrRj.dll [ ]

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
            "AppInit_DLLs"=NVDESK32.DLL

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
            "VIDC.UV12"= aoxdxipl.ax
            "VIDC.I263"= i263_32.drv

            [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
            Authentication Packages   REG_MULTI_SZ      msv1_0 relog_ap
            d-a------ 2001-12-10 18:40 0 C:\WINDOWS\System32\

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
            C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
            --a------ 2007-10-30 20:07 140568 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
            --a------ 2007-10-30 20:11 909208 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSCHED32]
            C:\Program Files\AVPersonal\AVSched32.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antivirus]


            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
            --a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
            --a------ 2000-03-03 09:00 33792 C:\Program Files\Logitech\MouseWare\System\em_exec.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
            --a------ 2005-02-07 23:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FAST Defrag]

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
            --a------ 2006-09-12 01:58 229952 C:\Program Files\iTunes\iTunesHelper.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
            C:\Program Files\KFH\cl\launcher.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware Reboot]
            --a------ 2008-05-05 20:46 1179256 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
            --a------ 2006-08-12 00:43 7630848 C:\WINDOWS\system32\NvCpl.dll

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
            --a------ 2006-08-12 00:43 86016 C:\WINDOWS\system32\NvMcTray.dll

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
            --a------ 2006-08-12 00:43 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
            --a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]
            --a------ 2000-05-20 17:23 86016 C:\WINDOWS\StartupMonitor.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecretSmileys]
            C:\PROGRA~1\SECRET~1\ss.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
            --a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
            --a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
            --a------ 2005-04-02 15:39 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
            --a------ 2007-10-31 12:53 2595616 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
            C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
            C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
            "SaveNow"=C:\Program Files\SaveNow\SaveNow.exe
            "b3dUpdate"=C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p "C:\WINDOWS\BDE\Update" -s setup.cab
            "New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
            "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
            "PP2000 Taskbar Control"=C:\Program Files\Protector Plus\PPTbc.EXE
            "PP2000 Real-time Scan"=C:\Program Files\Protector Plus\PPVstop.exe
            "PP2000 InstaUpdate"=C:\Program Files\Protector Plus\PPInupdt.exe

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
            "EnableFirewall"= 0 (0x0)

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "C:\\WINDOWS\\system32\\sessmgr.exe"=
            "C:\\Program Files\\REAL\\RealOne Player\\REALPLAY.EXE"=
            "C:\\Program Files\\Windows Media Player\\WMPLAYER.EXE"=
            "C:\\Program Files\\iTunes\\iTunes.exe"=
            "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
            "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
            "C:\\Program Files\\AIM6\\aim6.exe"=
            "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
            "C:\\WINDOWS\\System32\\mmc.exe"=

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
            "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
            "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
            "500:UDP"= 500:UDP:@xpsp2res.dll,-22017

            R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-19 16:00]
            R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-01 20:28]
            R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-19 16:00]
            R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
            R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
            R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-10-31 13:19]
            S3 Aox402Camera;GD-350V;C:\WINDOWS\system32\DRIVERS\aox402vc.sys [2002-01-16 01:33]
            S3 PPDrv;Protector Plus Driver;C:\Program Files\Protector Plus\PPDrv.sys []
            S3 SE402RefCameraStill;Concord Eye-Q Mini (WDM);C:\WINDOWS\system32\DRIVERS\aox402sc.sys [2001-11-20 13:58]
            S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINDOWS\system32\DRIVERS\lkbdfltr.sys [2000-03-03 09:00]
            S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINDOWS\system32\DRIVERS\lmoufltr.sys [2000-03-03 09:00]
            S4 lsermous;Logitech Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\lsermous.sys [2000-03-03 09:00]


            [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
            rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msimn.inf,User.Install

            [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
            rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msimn.inf,User.Install
            "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

            [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
            C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
            .
            Contents of the 'Scheduled Tasks' folder
            "2008-05-28 13:10:16 C:\WINDOWS\Tasks\Tune-up Application Start.job"
            "2002-04-10 01:09:22 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
            - C:\WINDOWS\DEFRAG.EXE
            "2008-05-28 13:10:16 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
            - C:\WINDOWS\CLEANMGR.EXE
            "2008-05-28 18:00:02 C:\WINDOWS\Tasks\AB2FE87F91849E5B.job"
            - c:\progra~1\stylef~1\DrvLiveOption.exe
            "2006-11-03 15:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job"
            - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
            .
            **************************************************************************

            catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2008-05-28 14:27:03
            Windows 5.1.2600 Service Pack 2 FAT NTAPI

            scanning hidden processes ...

            scanning hidden autostart entries ...

            scanning hidden files ...

            scan completed successfully
            hidden files: 0

            **************************************************************************
            .
            ------------------------ Other Running Processes ------------------------
            .
            C:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDUL2.EXE
            C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
            C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
            C:\WINDOWS\SYSTEM32\NVSVC32.EXE
            C:\WINDOWS\System32\wdfmgr.exe
            C:\WINDOWS\system32\WgaTray.exe
            C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
            C:\WINDOWS\system32\wscntfy.exe
            C:\WINDOWS\system32\imapi.exe
            .
            **************************************************************************
            .
            Completion time: 2008-05-28 14:29:39 - machine was rebooted
            ComboFix-quarantined-files.txt  2008-05-28 18:29:32

            Pre-Run: 41,966,632,960 bytes free
            Post-Run: 41,885,335,552 bytes free

            227   --- E O F ---   2008-05-28 07:01:15
            Logged

            evilfantasy

            • Malware Removal Specialist
            • Moderator


              • Genius
            • Calm like a bomb
              • Thanked: 493
            • Experience: Experienced
            • OS: Windows 11
            Re: Very bad Vundo-variant attack!
            « Reply #7 on: May 28, 2008, 12:42:54 PM »
            Now download The Avenger by Swandog46 and save it to your Desktop.
            • Extract avenger.exe from the Zip file and save it to your desktop
            • Run avenger.exe by double-clicking on it.
            • Do not change any check box options!!
            • Copy everything in the Code box below, and paste it into the Input script here window:
            Code: [Select]
            Comment:

            Registry values to delete:
            hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{27796771-8D05-4EE6-B478-43CE759F2106}


            Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

            • Now click the Execute button.
            • Click Yes to the prompt to confirm you want to execute.
            • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
            • Your PC should reboot, if not, reboot it yourself.
            • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
            • Add the Avenger log in your next post.
            .
            ----------

            Download ATF Cleaner by Atribune.
            Note: Vista users must use Run As Administrator
            • Double-click ATF-Cleaner.exe to run the program.
              Under Main choose: Select All
              Click the Empty Selected button.
            If you use Firefox browser
            • Click Firefox at the top and choose: Select All
              Click the Empty Selected button.
              NOTE: If you would like to keep your saved passwords, please click No at the prompt.
            If you use Opera browser
            • Click Opera at the top and choose: Select All
              Click the Empty Selected button.
              NOTE: If you would like to keep your saved passwords, please click No at the prompt.
            Click Exit on the Main menu to close the program.

            ----------

            Post the Avenger log.

            Has anything changed?

            Do you have your XP CD?
            Logged

            saltydogs

              Topic Starter


              Rookie

              Re: Very bad Vundo-variant attack!
              « Reply #8 on: May 28, 2008, 01:13:41 PM »
              My start menu is back to normal. My taskbar icons have returned, although the "Genuine Windows Validation" icon is still there, as are the words, "VIRUS ALERT!".

              Avenger log attached.

              //////////////////////////////////////////
                Avenger Pre-Processor log
              //////////////////////////////////////////

              Platform: Windows XP (build 2600, Service Pack 2)
              Wed May 28 14:46:39 2008

              14:46:27: Error: Invalid syntax in command:
              "hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{27796771-8D05-4EE6-B478-43CE759F2106}"
              Skipping line.  (Registry value deletion mode) 


              //////////////////////////////////////////


              Logfile of The Avenger Version 2.0, (c) by Swandog46
              http://swandog46.geekstogo.com

              Platform:  Windows XP

              *******************

              Script file opened successfully.
              Script file read successfully.

              Backups directory opened successfully at C:\Avenger

              *******************

              Beginning to process script file:

              Rootkit scan active.
              No rootkits found!


              Completed script processing.

              *******************

              Finished!  Terminate.
              Logged

              evilfantasy

              • Malware Removal Specialist
              • Moderator


                • Genius
              • Calm like a bomb
                • Thanked: 493
              • Experience: Experienced
              • OS: Windows 11
              Re: Very bad Vundo-variant attack!
              « Reply #9 on: May 28, 2008, 01:19:41 PM »
              The Avenger didn't work. Lets try this.

              Delete these files/folders, as follows:

              1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
              It must be Notepad, not Wordpad.
              • Click Start , then Run
              • Type notepad.exe in the Run Box.
              2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

              Code: [Select]
              KillAll::

              Registry::
              [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
              "{27796771-8D05-4EE6-B478-43CE759F2106}"=-
              3. Go to the Notepad window and click Edit > Paste
              4. Then click File > Save
              5. Name the file CFScript.txt - Save the file to your Desktop
              6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



              ComboFix will begin to execute, just follow the prompts.
              After reboot (in case it asks to reboot), it will produce a log for you.
              Post that log (Combofix.txt) in your next reply.

              Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

              ----------

              Download SmitfraudFix (by S!Ri) to your Desktop.
              • Extract all the files to your Destop.
              • A folder named SmitfraudFix will be created on your Desktop.
              • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
              • Select option #1 - Search by typing 1 and press Enter
                • This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
                • When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
                  • This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
                • Please attach that log in your next reply.
              • Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
              [INDENT][/INDENT]

              ----------

              1. Download this diagnostics tool MGADiag.exe and save this to your Desktop.
              2. Double-click on MGADiag.exe and click Continue
              3. When the program has finished, click on Copy
              4. Post the results in your next reply.

              ----------

              Next post add
              Combofix log
              Smitfraudfix log
              mgdiag log
              Logged

              saltydogs

                Topic Starter


                Rookie

                Re: Very bad Vundo-variant attack!
                « Reply #10 on: May 28, 2008, 02:34:11 PM »
                ComboFix 08-05-27.4 - The Hoaglands 2008-05-28 15:45:17.2 - FAT32x86
                Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.289 [GMT -4:00]
                Running from: C:\Documents and Settings\The Hoaglands\Desktop\ComboFix.exe
                Command switches used :: C:\Documents and Settings\The Hoaglands\Desktop\CFScript.txt
                 * Created a new restore point

                WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
                .

                (((((((((((((((((((((((((   Files Created from 2008-04-28 to 2008-05-28  )))))))))))))))))))))))))))))))
                .

                2008-05-28 14:46 . 2008-05-28 14:46   19,286   --a------   C:\cleanup.exe
                2008-05-28 03:09 . 2008-05-28 03:09   <DIR>   d--------   C:\WINDOWS\ERUNT
                2008-05-28 03:00 . 2008-05-27 03:12   <DIR>   d--------   C:\SDFix
                2008-05-28 01:24 . 2008-05-28 01:24   <DIR>   d--------   C:\Deckard
                2008-05-27 23:35 . 2008-05-27 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
                2008-05-27 23:35 . 2008-05-27 23:35   <DIR>   d--------   C:\Documents and Settings\The Hoaglands\Application Data\Malwarebytes
                2008-05-27 23:35 . 2008-05-27 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
                2008-05-27 23:35 . 2008-05-05 20:46   27,048   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
                2008-05-27 23:35 . 2008-05-05 20:46   15,864   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
                2008-05-27 18:30 . 2008-05-27 18:30   <DIR>   d--------   C:\Program Files\Trend Micro
                2008-05-27 18:07 . 2008-05-27 18:07   <DIR>   d--------   C:\VundoFix Backups
                2008-05-27 11:41 . 2008-05-27 11:41   <DIR>   d--------   C:\Documents and Settings\The Hoaglands\Application Data\TmpRecentIcons
                2008-05-27 10:35 . 2008-05-27 08:14   94,208   --a------   C:\WINDOWS\efpn.exe
                2008-05-23 16:14 . 2008-05-23 16:14   45,490   --a------   C:\stream.bin
                2008-05-23 15:18 . 2008-05-23 15:18   <DIR>   d--------   C:\SIERRA
                2008-05-23 15:16 . 2008-05-23 15:16   88   --a------   C:\WINDOWS\SIERRA.INI
                2008-05-20 15:18 . 2008-05-20 15:18   <DIR>   d--------   C:\Program Files\Google
                2008-04-28 19:56 . 2008-04-28 19:56   <DIR>   d--------   C:\Documents and Settings\The Hoaglands\Application Data\EPSON

                .
                ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                .
                2008-03-27 08:12   151,583   ----a-w   C:\WINDOWS\SYSTEM32\msjint40.dll
                2008-03-27 08:12   151,583   ------w   C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
                2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\SYSTEM32\win32k.sys
                2008-03-19 09:47   1,845,248   ------w   C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
                2008-03-01 22:36   3,591,680   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
                2008-02-29 08:55   70,656   ------w   C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
                2008-02-29 08:55   625,664   ------w   C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
                2005-09-14 20:53   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050914_205300.sql
                2005-08-13 15:06   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050813_150631.sql
                2005-06-23 17:20   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050623_172054.sql
                2005-05-28 01:54   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050528_015443.sql
                2005-03-26 19:20   21   ----a-w   C:\Program Files\AVPersonalAVWIN.INI
                2005-03-11 16:16   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050311_171640.sql
                2005-02-25 21:42   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050225_224200.sql
                2005-02-25 17:10   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050225_181034.sql
                2005-02-25 15:32   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20050225_163254.sql
                2004-08-12 05:37   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20040812_053744.sql
                2004-05-31 12:58   37,634   ----a-w   C:\Documents and Settings\The Hoaglands\raw101.exe
                2004-04-19 20:34   0   ----a-w   C:\Program Files\GeacInterealtyDS_HFD_596266616_20040419_203424.sql
                2004-03-29 16:04   131,072   ----a-w   C:\Program Files\fsuninst.ENG
                2003-03-07 01:17   2,765   ----a-w   C:\Program Files\Common Files\AutoUpdate.rtf
                2003-01-27 15:50   1,000,448   ----a-w   C:\Program Files\Common Files\AutoUpdate.exe
                2002-03-29 23:18   266   --sh--w   C:\Program Files\desktop.ini
                2002-03-29 23:18   11,079   ---h--w   C:\Program Files\folder.htt
                2002-02-08 17:13   8,527,672   ----a-w   C:\Program Files\PLuSExpress.exe
                2001-11-17 00:25   73,728   ----a-w   C:\Documents and Settings\The Hoaglands\Setup.exe
                2001-11-17 00:25   650   ----a-w   C:\Documents and Settings\The Hoaglands\LAYOUT.BIN
                2001-11-17 00:25   450   ----a-w   C:\Documents and Settings\The Hoaglands\OS.DAT
                2001-11-17 00:25   34,816   ----a-w   C:\Documents and Settings\The Hoaglands\_Setup.dll
                2001-11-17 00:25   27,648   ----a-w   C:\Documents and Settings\The Hoaglands\_ISDel.exe
                2001-11-17 00:25   23,541   ----a-w   C:\Documents and Settings\The Hoaglands\LANG.DAT
                2001-10-16 17:48   51,072   ----a-w   C:\Documents and Settings\The Hoaglands\EUSBMSD.sys
                2004-11-20 17:16   1,682   --sha-w   C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
                2004-11-20 17:16   56   --sh--r   C:\WINDOWS\SYSTEM32\8DCA1CC71F.sys
                .

                (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                .
                .
                *Note* empty entries & legit default entries are not shown
                REGEDIT4

                [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
                @={7D688A77-C613-11D0-999B-00C04FD655E1}

                [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

                [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 16:00 262401]
                "Auto EPSON Stylus CX3800 Series on DISH"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-07 23:00 98304]

                [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
                "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

                [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
                "AppInit_DLLs"=NVDESK32.DLL

                [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
                "VIDC.UV12"= aoxdxipl.ax
                "VIDC.I263"= i263_32.drv

                [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
                Authentication Packages   REG_MULTI_SZ      msv1_0 relog_ap
                d-a------ 2001-12-10 18:40 0 C:\WINDOWS\System32\

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
                C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
                --a------ 2007-10-30 20:07 140568 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
                --a------ 2007-10-30 20:11 909208 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSCHED32]
                C:\Program Files\AVPersonal\AVSched32.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antivirus]


                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
                --a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
                --a------ 2000-03-03 09:00 33792 C:\Program Files\Logitech\MouseWare\System\em_exec.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
                --a------ 2005-02-07 23:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FAST Defrag]

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
                --a------ 2006-09-12 01:58 229952 C:\Program Files\iTunes\iTunesHelper.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
                C:\Program Files\KFH\cl\launcher.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware Reboot]
                --a------ 2008-05-05 20:46 1179256 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
                --a------ 2006-08-12 00:43 7630848 C:\WINDOWS\system32\NvCpl.dll

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
                --a------ 2006-08-12 00:43 86016 C:\WINDOWS\system32\NvMcTray.dll

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
                --a------ 2006-08-12 00:43 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
                --a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]
                --a------ 2000-05-20 17:23 86016 C:\WINDOWS\StartupMonitor.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecretSmileys]
                C:\PROGRA~1\SECRET~1\ss.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
                --a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
                --a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
                --a------ 2005-04-02 15:39 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
                --a------ 2007-10-31 12:53 2595616 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
                C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
                C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

                [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
                "SaveNow"=C:\Program Files\SaveNow\SaveNow.exe
                "b3dUpdate"=C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p "C:\WINDOWS\BDE\Update" -s setup.cab
                "New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
                "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
                "PP2000 Taskbar Control"=C:\Program Files\Protector Plus\PPTbc.EXE
                "PP2000 Real-time Scan"=C:\Program Files\Protector Plus\PPVstop.exe
                "PP2000 InstaUpdate"=C:\Program Files\Protector Plus\PPInupdt.exe

                [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
                "EnableFirewall"= 0 (0x0)

                [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                "C:\\WINDOWS\\system32\\sessmgr.exe"=
                "C:\\Program Files\\REAL\\RealOne Player\\REALPLAY.EXE"=
                "C:\\Program Files\\Windows Media Player\\WMPLAYER.EXE"=
                "C:\\Program Files\\iTunes\\iTunes.exe"=
                "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
                "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
                "C:\\Program Files\\AIM6\\aim6.exe"=
                "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
                "C:\\WINDOWS\\System32\\mmc.exe"=

                [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
                "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
                "500:UDP"= 500:UDP:@xpsp2res.dll,-22017

                R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-19 16:00]
                R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-01 20:28]
                R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-19 16:00]
                R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
                R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
                R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-10-31 13:19]
                S3 Aox402Camera;GD-350V;C:\WINDOWS\system32\DRIVERS\aox402vc.sys [2002-01-16 01:33]
                S3 PPDrv;Protector Plus Driver;C:\Program Files\Protector Plus\PPDrv.sys []
                S3 SE402RefCameraStill;Concord Eye-Q Mini (WDM);C:\WINDOWS\system32\DRIVERS\aox402sc.sys [2001-11-20 13:58]
                S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINDOWS\system32\DRIVERS\lkbdfltr.sys [2000-03-03 09:00]
                S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINDOWS\system32\DRIVERS\lmoufltr.sys [2000-03-03 09:00]
                S4 lsermous;Logitech Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\lsermous.sys [2000-03-03 09:00]


                [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
                rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msimn.inf,User.Install

                [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
                rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msimn.inf,User.Install
                "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

                [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
                C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
                .
                Contents of the 'Scheduled Tasks' folder
                "2008-05-28 13:10:16 C:\WINDOWS\Tasks\Tune-up Application Start.job"
                "2002-04-10 01:09:22 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
                - C:\WINDOWS\DEFRAG.EXE
                "2008-05-28 13:10:16 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
                - C:\WINDOWS\CLEANMGR.EXE
                "2008-05-28 19:00:00 C:\WINDOWS\Tasks\AB2FE87F91849E5B.job"
                - c:\progra~1\stylef~1\DrvLiveOption.exe
                "2006-11-03 15:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job"
                - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
                .
                **************************************************************************

                catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                Rootkit scan 2008-05-28 15:51:43
                Windows 5.1.2600 Service Pack 2 FAT NTAPI

                scanning hidden processes ...

                scanning hidden autostart entries ...

                scanning hidden files ...

                scan completed successfully
                hidden files: 0

                **************************************************************************
                .
                ------------------------ Other Running Processes ------------------------
                .
                C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
                C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
                C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
                C:\WINDOWS\system32\nvsvc32.exe
                C:\WINDOWS\System32\wdfmgr.exe
                C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
                C:\WINDOWS\system32\WgaTray.exe
                C:\WINDOWS\system32\wscntfy.exe
                C:\WINDOWS\system32\imapi.exe
                .
                **************************************************************************
                .
                Completion time: 2008-05-28 16:01:03 - machine was rebooted
                ComboFix-quarantined-files.txt  2008-05-28 20:00:56
                ComboFix2.txt  2008-05-28 18:29:42

                Pre-Run: 41,827,893,248 bytes free
                Post-Run: 41,814,982,656 bytes free

                219   --- E O F ---   2008-05-28 07:01:15
                Logged

                saltydogs

                  Topic Starter


                  Rookie

                  Re: Very bad Vundo-variant attack!
                  « Reply #11 on: May 28, 2008, 02:35:01 PM »
                  SmitFraudFix v2.323

                  Scan done at 16:13:46.59, Wed 05/28/2008
                  Run from C:\Documents and Settings\The Hoaglands\Desktop\SmitfraudFix
                  OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
                  The filesystem type is FAT32
                  Fix run in normal mode

                  »»»»»»»»»»»»»»»»»»»»»»»» Process

                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
                  C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
                  C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
                  C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
                  C:\WINDOWS\system32\nvsvc32.exe
                  C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
                  C:\WINDOWS\system32\WgaTray.exe
                  C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
                  C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
                  C:\WINDOWS\system32\ctfmon.exe
                  C:\WINDOWS\system32\wscntfy.exe
                  C:\WINDOWS\explorer.exe
                  C:\WINDOWS\system32\notepad.exe
                  C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  C:\WINDOWS\system32\cmd.exe

                  »»»»»»»»»»»»»»»»»»»»»»»» hosts


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

                  C:\WINDOWS\system32\migicons.exe FOUND !

                  »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Hoaglands


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Hoaglands\Application Data


                  »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\THEHOA~1\FAVORI~1


                  »»»»»»»»»»»»»»»»»»»»»»»» Desktop


                  »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


                  »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


                  »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
                   
                   
                  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
                  "Source"="131A6951-7F78-11D0-A979-00C04FD705A2"
                  "SubscribedURL"="131A6951-7F78-11D0-A979-00C04FD705A2"
                  "FriendlyName"="Internet Explorer Channel Bar"

                  »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
                  !!!Attention, following keys are not inevitably infected!!!

                  IEDFix
                  Credits: Malware Analysis & Diagnostic
                  Code: S!Ri


                  »»»»»»»»»»»»»»»»»»»»»»»» VACFix
                  !!!Attention, following keys are not inevitably infected!!!

                  VACFix
                  Credits: Malware Analysis & Diagnostic
                  Code: S!Ri


                  »»»»»»»»»»»»»»»»»»»»»»»» 404Fix
                  !!!Attention, following keys are not inevitably infected!!!

                  404Fix
                  Credits: Malware Analysis & Diagnostic
                  Code: S!Ri


                  »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
                  !!!Attention, following keys are not inevitably infected!!!

                  SrchSTS.exe by S!Ri
                  Search SharedTaskScheduler's .dll


                  »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
                  !!!Attention, following keys are not inevitably infected!!!

                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
                  "AppInit_DLLs"="NVDESK32.DLL"


                  »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
                  !!!Attention, following keys are not inevitably infected!!!

                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
                  "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
                  "OldUserinit"="C:\\WINDOWS\\system32\\userinit.exe,"
                  "System"=""


                  »»»»»»»»»»»»»»»»»»»»»»»» Rustock



                  »»»»»»»»»»»»»»»»»»»»»»»» DNS

                  Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
                  DNS Server Search Order: 24.151.8.211
                  DNS Server Search Order: 24.151.8.210
                  DNS Server Search Order: 66.189.130.5

                  HKLM\SYSTEM\CCS\Services\Tcpip\..\{787FF200-C28F-42F7-93BC-60FC13791214}: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                  HKLM\SYSTEM\CS2\Services\Tcpip\..\{787FF200-C28F-42F7-93BC-60FC13791214}: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                  HKLM\SYSTEM\CS3\Services\Tcpip\..\{787FF200-C28F-42F7-93BC-60FC13791214}: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                  HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                  HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                  HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5


                  »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


                  »»»»»»»»»»»»»»»»»»»»»»»» End

                  Diagnostic Report (1.7.0095.0):
                  -----------------------------------------
                  WGA Data-->
                  Validation Status: Not Activated
                  Validation Code: 1
                  Online Validation Code: N/A
                  Cached Validation Code: N/A
                  Windows Product Key: *****-*****-RBJMD-FQTV9-CJ497
                  Windows Product Key Hash: hme0pUUsTkBgzcjbnZE7VReHEcc=
                  Windows Product ID: 55285-012-7468782-21220
                  Windows Product ID Type: 0
                  Windows License Type: Unknown
                  Windows OS version: 5.1.2600.2.00010300.2.0.hom
                  CSVLK Server: N/A
                  CSVLK PID: N/A
                  ID: {D81622F8-4884-4384-94E8-9140DCA015C3}(3)
                  Is Admin: Yes
                  TestCab: 0x0
                  WGA Version: Registered, 1.7.18.5
                  Signed By: Microsoft
                  Product Name: N/A
                  Architecture: N/A
                  Build lab: N/A
                  TTS Error: N/A
                  Validation Diagnostic: 025D1FF3-171-1_025D1FF3-85-80004005
                  Resolution Status: N/A

                  WgaER Data-->
                  ThreatID(s): N/A
                  Version: N/A

                  WGA Notifications Data-->
                  Cached Result: 5
                  File Exists: Yes
                  Version: 1.7.18.5
                  WgaTray.exe Signed By: Microsoft
                  WgaLogon.dll Signed By: Microsoft

                  OGA Notifications Data-->
                  Cached Result: N/A, hr = 0x80070002
                  Version: N/A, hr = 0x80070002
                  WGATray.exe Signed By: Microsoft
                  OGAAddin.dll Signed By: N/A, hr = 0x80070002

                  OGA Data-->
                  Office Status: 109 N/A
                  OGA Version: N/A, 0x80070002
                  Signed By: N/A, hr = 0x80070002
                  Office Diagnostics: 025D1FF3-171-1_025D1FF3-85-80004005

                  Browser Data-->
                  Proxy settings: N/A
                  User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
                  Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
                  Download signed ActiveX controls: Prompt
                  Download unsigned ActiveX controls: Disabled
                  Run ActiveX controls and plug-ins: Allowed
                  Initialize and script ActiveX controls not marked as safe: Disabled
                  Allow scripting of Internet Explorer Webbrowser control: Disabled
                  Active scripting: Allowed
                  Script ActiveX controls marked as safe for scripting: Allowed

                  File Scan Data-->

                  Other data-->
                  Office Details: <GenuineResults><MachineData><UGUID>{D81622F8-4884-4384-94E8-9140DCA015C3}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-CJ497</PKey><PID>55285-012-7468782-21220</PID><PIDType>0</PIDType><SID>S-1-5-21-796845957-573735546-1801674531</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>OptiPlex GX300               </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A07</Version><SMBIOSVersion major="2" minor="3"/><Date>20000810000000.000000+000</Date></BIOS><HWID>7904379F01846056</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData>     <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 


                  Logged

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                    • Genius
                  • Calm like a bomb
                    • Thanked: 493
                  • Experience: Experienced
                  • OS: Windows 11
                  Re: Very bad Vundo-variant attack!
                  « Reply #12 on: May 28, 2008, 02:42:53 PM »
                  PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

                  You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be able to see this page in safe mode
                  • Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
                  • Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.
                  • Select option #2 - Clean by typing 2 and press Enter.
                  • The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish.
                    • This process can take some time depending on your computer, so please be patient.
                    • When it is complete, it will close automatically and you should continue with next step.
                    • You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
                    • The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file.
                    • Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.
                    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

                    Suggested Step:
                    • To restore Trusted and Restricted site zone, select 3 and hit Enter.
                    • You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.
                    • Now reboot into normal mode and post this new rapport.txt in the next post.
                    • WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!
                    .
                    ----------

                    Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
                    • Click on Windows Validation Assistant
                    • Click on the Validate Now button.
                    • Be patient while the ActiveX loads, do not click on any links.
                    • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
                    • Enter your product key then click continue
                    • When it says "Validation Complete" please click Continue to return to your previous activity
                    • Copy what it says and paste it here.
                    Logged

                    saltydogs

                      Topic Starter


                      Rookie

                      Re: Very bad Vundo-variant attack!
                      « Reply #13 on: May 28, 2008, 03:30:15 PM »
                      SmitFraudFix v2.323             
                       
                      Scan done at 16:52:43.15, Wed 05/28/2008 
                      Run from C:\Documents and Settings\The Hoaglands\Desktop\SmitfraudFix 
                      OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT 
                      The filesystem type is FAT32 
                      Fix run in safe mode 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix 
                      !!!Attention, following keys are not inevitably infected!!! 
                       
                      SrchSTS.exe by S!Ri 
                      Search SharedTaskScheduler's .dll 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» Killing process 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» hosts 
                       
                      127.0.0.1       localhost 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» VACFix 
                       
                      VACFix 
                      Credits: Malware Analysis & Diagnostic 
                      Code: S!Ri 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix 
                       
                      S!Ri's WS2Fix: LSP not Found. 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix 
                       
                      GenericRenosFix by S!Ri 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files 
                       
                      C:\WINDOWS\system32\migicons.exe Deleted 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» IEDFix 
                       
                      IEDFix 
                      Credits: Malware Analysis & Diagnostic 
                      Code: S!Ri 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 
                       
                      404Fix 
                      Credits: Malware Analysis & Diagnostic 
                      Code: S!Ri 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» DNS 
                       
                      HKLM\SYSTEM\CCS\Services\Tcpip\..\{787FF200-C28F-42F7-93BC-60FC13791214}: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                      HKLM\SYSTEM\CS2\Services\Tcpip\..\{787FF200-C28F-42F7-93BC-60FC13791214}: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                      HKLM\SYSTEM\CS3\Services\Tcpip\..\{787FF200-C28F-42F7-93BC-60FC13791214}: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5
                      HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5 
                      HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5 
                      HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.151.8.211 24.151.8.210 66.189.130.5 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System 
                      !!!Attention, following keys are not inevitably infected!!! 
                       
                      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 
                      System="" 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning 
                         
                      Registry Cleaning done.   
                         
                      »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix 
                      !!!Attention, following keys are not inevitably infected!!! 
                       
                      SrchSTS.exe by S!Ri 
                      Search SharedTaskScheduler's .dll 
                       
                      »»»»»»»»»»»»»»»»»»»»»»»» End 
                      Logged

                      evilfantasy

                      • Malware Removal Specialist
                      • Moderator


                        • Genius
                      • Calm like a bomb
                        • Thanked: 493
                      • Experience: Experienced
                      • OS: Windows 11
                      Re: Very bad Vundo-variant attack!
                      « Reply #14 on: May 28, 2008, 03:37:48 PM »
                      How is everything now?
                      Logged
                      Pages: [1] 2  All   Go Up
                      « previous next »