my system was infected with Vundo! - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

May 16^th, 2008, 2:59am

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   my system was infected with Vundo!

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: my system was infected with Vundo! (Read 617 times)

seenujanu
Newbie

Gender:

Posts: 13

my system was infected with Vundo!
« on: Apr 3^rd, 2008, 1:17am »

Quote

Modify

Hi Friends,

My system was infected with Vundo and i am unable to remove the virus.....

the problem is it get the pop widows and it asks for do u wnat to install the MalwareAlaram

i just removed the registrees the name belongs to MalwareAlaram .. but their is no user

it recreats and i tried to remove from the Safe Mode of those .DLL files no user...

any help regarding this.......

i have tried with other Anti-Virus like AVG,PREVX ....

and i scanned from TrojanHunter it shows the .......

Found trojan file: C:\WINNT\system32\wvUmkhij.dll (Generic.Vundo.B)

and also i have scanned with Prevx Anti-Virus .. it shows the

Summary:
C:\WINNT\system32\xxywTnlm.dll - [B] >> Trojan.Vundo
C:\WINNT\system32\ssqNHaXo.dll - [B] >> Trojan.Vundo - Generic.Malware
C:\WINNT\system32\iohiigot.dll - [B] >> Trojan.Vundo - Lop
D:\oracle\ora92/bin/pagntsrv.exe - [U16] >> Hidden File Name
C:\DBI.EXE - [B] >> Generic.Malware
C:\WINNT\system32\oakvlrir.dll - [B] >> Trojan.Vundo - Lop
Note: Some of the above entries may be from previous scans or cleaned infections.

i had Mcafee anti-virus with licesness but it didnt detect the virus.....

i have scanned with Prevx Anti-Virus .. it LOG file is ...

Code:

Summary:
C:\WINNT\system32\xxywTnlm.dll - [B] >> Trojan.Vundo
C:\WINNT\system32\ssqNHaXo.dll - [B] >> Trojan.Vundo - Generic.Malware
C:\WINNT\system32\iohiigot.dll - [B] >> Trojan.Vundo - Lop
D:\oracle\ora92/bin/pagntsrv.exe - [U16] >> Hidden File Name
C:\DBI.EXE - [B] >> Generic.Malware
C:\WINNT\system32\oakvlrir.dll - [B] >> Trojan.Vundo - Lop
Note: Some of the above entries may be from previous scans or cleaned infections.

End of PrevxCSI Log - http://www.prevx.com

Regards

Seenu

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: my system was infected with Vundo!
« Reply #1 on: Apr 3^rd, 2008, 1:37am »

Quote

Modify

Welcome to the forum seenujanu Cheesy

Please do the following:

1. Download/install program Hijackthis per the instructions in the link below.

http://www.misec.net/forum/board/FAQ/1163329424

2. Go to the link below and download program Combofix.exe and save it on your desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

3. Temporarily de-Activate all your security programs EXCEPT your software firewall.

4. Close down as many programs as you can (programs in the Notification Tray- next to the clock).

5. Close your browser.

6. Double click on Combofix.exe to execute it and follow the instructions.

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

- When Combofix.exe is finished, it will save a log on your system.

7. Post the Combofix log back here

8. Run Hijackthis and post a HiJackthis scan log back here. DO NOT fix anything with HJT...just post the scan log.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

seenujanu
Newbie

Gender:

Posts: 13

Re: my system was infected with Vundo!
« Reply #2 on: Apr 3^rd, 2008, 3:54am »

Quote

Modify

Hi ,

i got the error when i am running the combofix.exe .wat r the things u have said i did .but giving this
it was restarted.........

the log file is

Code:

ComboFix 08-04-01.2 - narayanas 04/03/2008 14:57:05.1 - NTFSx86
Running from: C:\Documents and Settings\narayanas\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

same thing i got the error when i am running the HijackThis.exe

when i save the LOG file it just close the window and shows this error is ...

Unknow has generated errors and will be closed by windows.

u will need to restart the programe

wat does this mean........?

regarsd

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: my system was infected with Vundo!
« Reply #3 on: Apr 3^rd, 2008, 4:23am »

Quote

Modify

You do not need the Recovery Console installed for Combofix to run. However you can install it via Combofix. Below is a link that provides a tutorial on Combofix and how to do this.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

seenujanu
Newbie

Gender:

Posts: 13

Re: my system was infected with Vundo!
« Reply #4 on: Apr 3^rd, 2008, 5:15am »

Quote

Modify

Hi silicon,

here is the log file ...

Code:

ComboFix 08-03-30.5 - narayanas 2008-04-03 16:36:24.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.87 [GMT 5.5:30]
Running from: C:\Documents and Settings\narayanas\Desktop\ComboFix.exe
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\BM3f604afd.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\bwwjghmb.dll
C:\WINNT\system32\jihkmUvw.ini
C:\WINNT\system32\jihkmUvw.ini2
C:\WINNT\system32\oXaHNqss.ini
C:\WINNT\system32\pxsmsvit.dll
C:\WINNT\system32\qxqbklwy.dll
C:\WINNT\system32\wvUmkhij.dll
C:\WINNT\system32\ywlkbqxq.ini
.
---- Previous Run -------
.
C:\WINNT\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 13:20 . 08-04-03 13:20 <DIR>d--------C:\Program Files\Alwil Software
2008-04-02 20:53 . 08-04-02 20:53 <DIR>d--------C:\Program Files\Trend Micro
2008-04-02 18:45 . 08-04-02 18:45 <DIR>d--------C:\KAV
2008-04-02 16:42 . 08-04-02 16:43 2,268,582--a------C:\WINNT\system32\QSSWRIHVKVOQQ
2008-04-02 16:38 . 08-04-02 16:38 <DIR>d--------C:\Documents and Settings\narayanas\.hotjava
2008-04-02 16:37 . 08-04-02 16:37 <DIR>d--------C:\Documents and Settings\narayanas\.java
2008-04-02 16:27 . 08-04-02 16:27 <DIR>d--------C:\Program Files\Opera
2008-04-02 16:22 . 08-04-02 16:23 5,471,543--a------C:\WINNT\system32\WQFFSVQ
2008-04-02 13:41 . 08-04-02 13:41 <DIR>d--------C:\Documents and Settings\narayanas\Application Data\TrojanHunter
2008-04-02 12:56 . 08-04-03 10:38 <DIR>d--------C:\Program Files\TrojanHunter 5.0
2008-04-02 12:43 . 08-04-02 12:43 25,773--a------C:\WINNT\system32\drivers\regguard.sys
2008-04-02 11:39 . 08-04-02 12:57 928,240---h-----C:\WINNT\ShellIconCache
2008-04-02 10:09 . 08-04-02 10:09 <DIR>d--------C:\Documents and Settings\narayanas\Application Data\Webroot
2008-04-01 17:34 . 08-04-02 18:58 <DIR>d--------C:\Documents and Settings\narayanas\Application Data\AVG7
2008-04-01 17:34 . 08-04-01 17:34 <DIR>d--------C:\Documents and Settings\Default User\Application Data\AVG7
2008-04-01 17:33 . 08-04-03 10:28 <DIR>d-a------C:\Documents and Settings\All Users\Application Data\avg7
2008-04-01 17:33 . 08-03-13 13:43 35,960,792--a------C:\avg75free_519a1276.exe
2008-04-01 17:12 . 08-04-02 09:53 <DIR>d---s----C:\Documents and Settings\narayanas\UserData
2008-04-01 16:57 . 08-04-03 16:41 6,480--a------C:\WINNT\system32\ifweb60
2008-03-31 18:36 . 08-03-31 18:36 <DIR>d--------C:\WINNT\Sun
2008-03-31 17:57 . 08-02-22 02:33 69,632--a------C:\WINNT\system32\javacpl.cpl
2008-03-31 17:47 . 08-03-31 17:47 <DIR>d--------C:\Program Files\Common Files\Java
2008-03-31 12:17 . 07-12-01 11:32 201,320--a------C:\WINNT\system32\drivers\mfehidk.sys
2008-03-31 12:17 . 07-12-01 11:32 79,304--a------C:\WINNT\system32\drivers\MfeAVFK.sys
2008-03-31 12:17 . 07-12-01 11:33 55,016--a------C:\WINNT\system32\drivers\mfetdik.sys
2008-03-31 12:17 . 07-12-01 11:32 35,240--a------C:\WINNT\system32\drivers\MfeBOPK.sys
2008-03-31 12:17 . 07-12-01 11:32 33,832--a------C:\WINNT\system32\drivers\MfeRKDK.sys
2008-03-31 11:20 . 07-07-30 19:18 34,136--a------C:\WINNT\system32\wucltui.dll.mui
2008-03-31 11:20 . 07-07-30 19:19 25,944--a------C:\WINNT\system32\wuaucpl.cpl.mui
2008-03-31 11:20 . 07-07-30 19:19 25,944--a------C:\WINNT\system32\wuapi.dll.mui
2008-03-31 11:20 . 07-07-30 19:18 20,312--a------C:\WINNT\system32\wuaueng.dll.mui
2008-03-27 12:18 . 08-04-01 17:07 <DIR>d--------C:\Program Files\EditPlus 3
2008-03-26 18:33 . 05-04-05 11:20 306,424--a--c---C:\WINNT\system32\dllcache\drmclien.dll
2008-03-26 18:33 . 05-04-05 11:20 87,040--a------C:\WINNT\system32\drmstor.dll
2008-03-26 18:33 . 05-04-05 11:20 87,040--a--c---C:\WINNT\system32\dllcache\drmstor.dll
2008-03-26 18:33 . 05-04-05 11:20 10,240--a--c---C:\WINNT\system32\dllcache\npwmsdrm.dll
2008-03-26 18:29 . 07-03-08 05:21 129,784--a------C:\WINNT\system32\pxafs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-28 10:37---------d-----wC:\Program Files\DKG Advanced Solutions, Inc
2008-04-02 12:47---------d-----wC:\Program Files\Maxthon2
2008-04-02 12:03---------d-----wC:\Program Files\Maxthon
2008-04-02 11:13---------d-----wC:\Program Files\Yahoo!
2008-04-01 11:40---------d-----wC:\Documents and Settings\All Users\Application Data\WinZip
2008-04-01 11:34---------d-----wC:\Program Files\Common Files\InstallShield
2008-03-31 12:26---------d-----wC:\Program Files\Java
2008-02-28 11:12---------d-----wC:\Program Files\Common Files\Adobe
2008-02-07 07:59---------d-----wC:\Program Files\Lexico
2006-07-26 17:42271---h--wC:\Program Files\desktop.ini
2006-07-26 17:4221,952---h--wC:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [08-03-04 23:46 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [08-03-04 23:46 87360]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [07-09-28 06:47 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywTnlm]
xxywTnlm.dll

R2 EngineServer;EngineServer;"C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe" [07-12-01 11:30 ]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart []
R2 OracleFormsServer-Forms60Server-OracleForms;Oracle Forms Server [Forms60Server-OracleForms] Grin

:\OracleForms\bin\ifsrv60.exe [02-11-27 08:27 ]
R2 OracleOraHome92Agent;OracleOraHome92Agent;D:\oracle\ora92\bin\agntsrvc.e xe [02-04-26 17:29 ]
R2 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"D:\oracle\ora92\Apa che\Apache\apache.exe" --ntservice []
R2 OracleReportServer-Rep60_NARAYANA-OracleForms;Oracle Reports Server [Rep60_NARAYANA-OracleForms] Grin

:\OracleForms\bin\rwmts60.exe [02-11-27 08:18 ]
R2 OracleServiceNARI;OracleServiceNARI;d:\oracle\ora92\bin\ORACLE.EXE NARI []
S3 OracleOracleFormsClientCache80;OracleOracleFormsClientCache80;D:\OracleF orms\BIN\ONRSD80.EXE [02-11-27 08:15 ]
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;D:\oracle\ora92\BI N\ONRSD.EXE [02-04-26 19:34 ]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator; D:\oracle\ora92\BIN\ENCSVC.EXE [02-02-13 08:23 ]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;D: \oracle\ora92\BIN\AGNTSVC.EXE [02-02-13 08:23 ]
S3 RegGuard;RegGuard;C:\WINNT\system32\Drivers\regguard.sys [08-04-02 12:43 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 12:15:02 C:\WINNT\Tasks\Time Tracker.job"
- C:\Documents and Settings\narayanas\Desktop\Time Tracker.bat
.
************************************************************************ **

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 16:42:45
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************ **

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="D:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="D:\oracle\ora92\BIN\TNSLSNR "
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
D:\OracleForms\bin\ifweb60.exe
C:\WINNT\system32\cmd.exe
D:\oracle\ora92\bin\dbsnmp.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
d:\oracle\ora92\bin\ORACLE.EXE
D:\oracle\ora92\jdk\bin\java.exe
D:\oracle\ora92\jdk\bin\java.exe
d:\oracle\ora92\bin\isqlplus
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
.
************************************************************************ **
.
Completion time: 2008-04-03 16:46:07 - machine was rebooted [narayanas]
ComboFix-quarantined-files.txt 2008-04-03 11:15:54
Pre-Run: 16,083,775,488 bytes free
Post-Run: 16,062,353,408 bytes free
.
2008-03-31 06:39:40--- E O F ---

IP Logged

seenujanu
Newbie

Gender:

Posts: 13

Re: my system was infected with Vundo!
« Reply #5 on: Apr 3^rd, 2008, 5:22am »

Quote

Modify

Hi silicon,

here is the hijackthis.log file ......

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:53, on 2008-04-03
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
D:\OracleForms\bin\ifsrv60.exe
D:\OracleForms\bin\ifweb60.exe
D:\oracle\ora92\bin\agntsrvc.exe
D:\oracle\ora92\Apache\Apache\apache.exe
C:\WINNT\system32\cmd.exe
D:\oracle\ora92\bin\dbsnmp.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
D:\OracleForms\bin\rwmts60.exe
d:\oracle\ora92\bin\ORACLE.EXE
D:\oracle\ora92\Apache\Apache\apache.exe
D:\oracle\ora92\jdk\bin\java.exe
D:\oracle\ora92\jdk\bin\java.exe
d:\oracle\ora92\bin\isqlplus
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - http://www.unc.edu/~echeran/wfplayer/tdserver.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206942558476
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arrow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arrow.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = arrow.local
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\PROGRA~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dll
O20 - Winlogon Notify: xxywTnlm - xxywTnlm.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Oracle Forms Server [Forms60Server-OracleForms] (OracleFormsServer-Forms60Server-OracleForms) - Oracle Corporation - D:\OracleForms\bin\ifsrv60.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOracleFormsClientCache80 - Unknown owner - D:\OracleForms\BIN\ONRSD80.EXE
O23 - Service: OracleOraHome92Agent - Oracle Corporation - D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - D:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: Oracle Reports Server [Rep60_NARAYANA-OracleForms] (OracleReportServer-Rep60_NARAYANA-OracleForms) - Oracle Corp - D:\OracleForms\bin\rwmts60.exe
O23 - Service: OracleServiceNARI - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE

--
End of file - 8154 bytes

Regards
Seenu

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: my system was infected with Vundo!
« Reply #6 on: Apr 3^rd, 2008, 6:17am »

Quote

Modify

Good job,

ComboFix found and removed several infections. Please do the following

1. Remove Combofix.exe from your desktop

2. Remove the folder named Qoobox from C:\. It is the Quarantine folder of Combofix.

3. Remove the Combofix log file from your system.

4. Run another HiJackthis scan.

5. When the scan is completed, place a check mark next to the following item. BE SURE it is the only item checked.

O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)

O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)

O20 - Winlogon Notify: xxywTnlm - xxywTnlm.dll (file missing)

NOTE: IF you do NOT have AI Roboform currently installed on your computer, please checkmark the following items too.

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)

6. Close your browser.

7. Click on Fix Checked located at the lower left of the Hijackthis window. Confirm that you want HJT to fix this item and let it fix it.

8. Close HiJackthis and reboot.

9. Clean out your System Volume Information folder per the instructions in the link below.

http://www.misec.net/forum/board/FAQ/1139255588

10. After the reboot is completed, I recommend that you run a Remote scan of your computer using Kaspersky at the link below:

http://www.kaspersky.com/virusscanner

- Use Internet Explorer to access the Kaspersky site. Kaspersky needs to download/install an ActiveX component. Please let it do this so that it can scan.

- BEFORE running the remote scan, disable all your security programs EXCEPT your software firewall

- Run a FULL scan of computer with Kaspersky.

- The scan will take some time based on the volume of your computer software.

11. Please post back here the results of the Kaspersky scan.

12. Please tell me if your computer appears to be running okay.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

seenujanu
Newbie

Gender:

Posts: 13

Re: my system was infected with Vundo!
« Reply #7 on: Apr 3^rd, 2008, 8:29am »

Quote

Modify

Hi silicon,

Thanks for giving the Valuable Suggestions ..... and I think it was fine.... But u r asking me to do the KasperSky Anti-Virus . i had Mcafee Anti-Virus i have stoped the services and Disabled. is this okay....

i am using the Windows 2000 Professional

i havent found regarding the System Restore in my OS which u have given the link to me

can u give the navigation if it sooo.......

Regards

Seenu

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: my system was infected with Vundo!
« Reply #8 on: Apr 3^rd, 2008, 10:38am »

Quote

Modify

Quote:

i had Mcafee Anti-Virus i have stoped the services and Disabled. is this okay....

I'm not too sure I understand your question above. To run the Kaspersky AV scan, just disable the McAfee AV scanner temporarily...to prevent it from conflicting with the Kaspersky scan.

Don't worry about the System Restore item on Windows 2000 Professional. It's not needed.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

seenujanu
Newbie

Gender:

Posts: 13

Re: my system was infected with Vundo!
« Reply #9 on: Apr 4^th, 2008, 8:00am »

Quote

Modify

Hi siliconman,

I am feeling very Happy..because it was resolved the problem from Vundo...i am fighting with that from past 1 week.

i scanned my computer with Kaspersky.it takes more time .
it doesnt shows any virus from c drive .. fine But i have downloaded the some softwares very long back .. the problem is Kaspersky is showing the virus .. i dont have any problem with them which i have downloaded..

Thanks a Lot .... siliconman and to misec.net
here is the LOG file

Code:

KASPERSKY ONLINE SCANNER REPORT
2008-04-04 17:38
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/04/2008
Kaspersky Anti-Virus database records: 681352

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Folders
F:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 31404
Number of viruses found 11
Number of infected objects 33
Number of suspicious objects 0
Duration of the scan process 01:47:48

Infected Object Name Virus Name Last Action
F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file06 Infected: Trojan-Downloader.Win32.IstBar.gen skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file07/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file07 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file08 Infected: Trojan-Downloader.Win32.Agent.bls skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe Inno: infected - 4 skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file06 Infected: Trojan-Downloader.Win32.IstBar.gen skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file07/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file07 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file08 Infected: Trojan-Downloader.Win32.Agent.bls skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe Inno: infected - 4 skipped

F:\Desktop Latest\Software\Folder Locking SW\Secrecy File and Folder Hider\secret_hider_free.exe/file4 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\Desktop Latest\Software\Folder Locking SW\Secrecy File and Folder Hider\secret_hider_free.exe Inno: infected - 1 skipped

F:\Desktop Latest\Software\Folder Locking SW\secret_hider_free.exe/file4 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\Desktop Latest\Software\Folder Locking SW\secret_hider_free.exe Inno: infected - 1 skipped

J:\capturin images sw\Download_capture.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar/abiword-2.4.5/wv/examples/thi s-file-crashes-msword.doc/1Table Infected: Trojan-Dropper.MSWord.1Table.es skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar/abiword-2.4.5/wv/examples/thi s-file-crashes-msword.doc/1Table Infected: Trojan-Dropper.MSWord.1Table.eq skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar/abiword-2.4.5/wv/examples/thi s-file-crashes-msword.doc Infected: Trojan-Dropper.MSWord.1Table.eq skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar Infected: Trojan-Dropper.MSWord.1Table.eq skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz GZIP: infected - 4 skipped

J:\QSathiUma Desktop\New Soft\lemonwire_52l\lemonwire_52l.exe/file34 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

J:\QSathiUma Desktop\New Soft\lemonwire_52l\lemonwire_52l.exe Inno: infected - 1 skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.VB.y skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe NSIS: infected - 3 skipped

J:\QSathiUma Desktop\New Soft\superfast\superfast.zip/setup.exe/data0002 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped

J:\QSathiUma Desktop\New Soft\superfast\superfast.zip/setup.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped

J:\QSathiUma Desktop\New Soft\superfast\superfast.zip ZIP: infected - 2 skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.VB.y skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe NSIS: infected - 3 skipped

Scan process completed.

KASPERSKY ONLINE SCANNER REPORT
2008-04-04 17:38
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/04/2008
Kaspersky Anti-Virus database records: 681352

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Folders
F:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 31404
Number of viruses found 11
Number of infected objects 33
Number of suspicious objects 0
Duration of the scan process 01:47:48

Infected Object Name Virus Name Last Action
F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file06 Infected: Trojan-Downloader.Win32.IstBar.gen skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file07/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file07 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe/file08 Infected: Trojan-Downloader.Win32.Agent.bls skipped

F:\Desktop Latest\Software\Folder Locking SW\ABC Lock\ak162.exe Inno: infected - 4 skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file06 Infected: Trojan-Downloader.Win32.IstBar.gen skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file07/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file07 Infected: Trojan-Dropper.Win32.VB.nn skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe/file08 Infected: Trojan-Downloader.Win32.Agent.bls skipped

F:\Desktop Latest\Software\Folder Locking SW\Duplicate file deleter\dfk185.exe Inno: infected - 4 skipped

F:\Desktop Latest\Software\Folder Locking SW\Secrecy File and Folder Hider\secret_hider_free.exe/file4 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\Desktop Latest\Software\Folder Locking SW\Secrecy File and Folder Hider\secret_hider_free.exe Inno: infected - 1 skipped

F:\Desktop Latest\Software\Folder Locking SW\secret_hider_free.exe/file4 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\Desktop Latest\Software\Folder Locking SW\secret_hider_free.exe Inno: infected - 1 skipped

J:\capturin images sw\Download_capture.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar/abiword-2.4.5/wv/examples/thi s-file-crashes-msword.doc/1Table Infected: Trojan-Dropper.MSWord.1Table.es skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar/abiword-2.4.5/wv/examples/thi s-file-crashes-msword.doc/1Table Infected: Trojan-Dropper.MSWord.1Table.eq skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar/abiword-2.4.5/wv/examples/thi s-file-crashes-msword.doc Infected: Trojan-Dropper.MSWord.1Table.eq skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz/abiword-2.4.5.tar Infected: Trojan-Dropper.MSWord.1Table.eq skipped

J:\QSathiUma Desktop\Misc\word sw\source codeabiword-2.4.5.tar.gz GZIP: infected - 4 skipped

J:\QSathiUma Desktop\New Soft\lemonwire_52l\lemonwire_52l.exe/file34 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

J:\QSathiUma Desktop\New Soft\lemonwire_52l\lemonwire_52l.exe Inno: infected - 1 skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.VB.y skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft\mechanic-2[1].8\mechanic-2[1].8.exe NSIS: infected - 3 skipped

J:\QSathiUma Desktop\New Soft\superfast\superfast.zip/setup.exe/data0002 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped

J:\QSathiUma Desktop\New Soft\superfast\superfast.zip/setup.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped

J:\QSathiUma Desktop\New Soft\superfast\superfast.zip ZIP: infected - 2 skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.VB.y skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ba skipped

J:\QSathiUma Desktop\New Soft2\Startup Mechanic\mechanic-2.8.exe NSIS: infected - 3 skipped

Scan process completed.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: my system was infected with Vundo!
« Reply #10 on: Apr 4^th, 2008, 11:01am »

Quote

Modify

Am glad to hear that your C drive scanned clean. Cheesy

The Kaspersky scan results on your F and J drive are most concerning. Do you actually have this software installed on your system or is it just stuff that you downloaded from a website and never installed?

The reason I'm asking is because it looks like you may be downloading from a website(s) that is feeding you infected software.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

seenujanu
Newbie

Gender:

Posts: 13

Re: my system was infected with Vundo!
« Reply #11 on: Apr 7^th, 2008, 4:55am »

Quote

Modify

Hi siliconman,

i just downloaded those sw's .i have installed them in my PC and again i have uninstalled them.now there is no use.now i have deleted those sw's..

now every thing fine... but the problem is when my system was infected with virus i have downloaded lots of Anti-virus sw's in my PC .when scanning is going ....... Meanwhile one of my colleuge he is in leave soooo i have used his system sooo through that i have accessed my system ... some files... sooo his system also infected with the virus some popups r coming... but with the name is

Generic.Vundo.b

Shall i do the process which u have said to me.....

Thanxs

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: my system was infected with Vundo!
« Reply #12 on: Apr 7^th, 2008, 5:04am »

Quote

Modify

Welcome back Cheesy

Yes, please start with the procedure as per my first post in this thread.

Please post the Combofix log and the Hijackthis log from your friend's computer back here once you have run Combofix on his/her system.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

seenujanu
Newbie

Gender:

Posts: 13

Re: my system was infected with Vundo!
« Reply #13 on: Apr 7^th, 2008, 6:01am »

Quote

Modify

Hi siliconman,

here is the my friend system LOG files

from COMBOLOG...

Code:

ComboFix 08-03-30.5 - uma 04/07/2008 16:11:34.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.240 [GMT 5.5:30]
Running from: C:\Documents and Settings\uma\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_LOGIN
-------\Service_windows login

((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-03-27 16:02 . 07-12-01 11:32 33,832--a------C:\WINNT\system32\drivers\MfeRKDK.sys
2008-03-27 15:50 . 02-12-11 17:34 208,896--a------C:\WINNT\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 10:45---------d--h--wC:\Documents and Settings\uma\Application Data\yahoo!
2008-04-01 09:38---------d-----wC:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-01 09:31---------d-----wC:\Program Files\Yahoo!
2008-04-01 06:44---------d-----wC:\Program Files\LogMeIn
2008-03-27 10:32---------d-----wC:\Program Files\Java
2006-07-14 21:29271---h--wC:\Program Files\desktop.ini
2006-07-14 21:2921,952---h--wC:\Program Files\folder.htt
2006-08-25 12:102--shatrC:\WINNT\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [06-10-25 13:21 204843]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [08-03-04 23:46 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [08-03-04 23:46 87360]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [07-01-02 02:52 3739648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-08-14 09:35 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\uma\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-03-09 12:45:04 19968]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\uma\Desktop\Krishna.jpg
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [04-11-02 10:15 368711]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R2 EngineServer;EngineServer;"C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe" [07-12-01 11:30 ]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [07-08-03 15:09 ]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINNT\system32\drivers\LMIRfsDriver.sys [07-08-03 15:09 ]
R2 OracleFormsServer-Forms60Server-OracleForms;Oracle Forms Server [Forms60Server-OracleForms];C:\OracleForms\bin\ifsrv60.exe [02-11-27 08:27 ]
R2 OracleReportServer-Rep60_UMA-OracleForms;Oracle Reports Server [Rep60_UMA-OracleForms];C:\OracleForms\bin\rwmts60.exe [02-11-27 08:18 ]
S3 OracleOracle92ClientCache;OracleOracle92ClientCache;C:\Oracle92\BIN\ONRS D.EXE [02-04-26 19:34 ]
S3 OracleOracleFormsClientCache80;OracleOracleFormsClientCache80;C:\OracleF orms\BIN\ONRSD80.EXE [02-11-27 08:15 ]
S3 RegGuard;RegGuard;C:\WINNT\system32\Drivers\regguard.sys [06-08-25 17:34 ]
S4 myAgtSvc;McAfee Virus and Spyware Protection Service;"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart []

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 18:30:02 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-02 03:30:01 C:\WINNT\Tasks\At10.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-02 04:30:01 C:\WINNT\Tasks\At11.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-02 05:30:02 C:\WINNT\Tasks\At12.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-02 06:30:01 C:\WINNT\Tasks\At13.job"
- C:\WINNT\system32\3muv3g1p.exe

"2008-04-02 07:30:02 C:\WINNT\Tasks\At14.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-03 08:30:02 C:\WINNT\Tasks\At15.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-03 09:30:01 C:\WINNT\Tasks\At16.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-07 10:30:01 C:\WINNT\Tasks\At17.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 11:30:01 C:\WINNT\Tasks\At18.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 12:30:02 C:\WINNT\Tasks\At19.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 19:30:01 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 13:30:03 C:\WINNT\Tasks\At20.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 14:30:20 C:\WINNT\Tasks\At21.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 15:30:03 C:\WINNT\Tasks\At22.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 16:30:03 C:\WINNT\Tasks\At23.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 17:30:03 C:\WINNT\Tasks\At24.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 20:30:01 C:\WINNT\Tasks\At3.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 21:30:01 C:\WINNT\Tasks\At4.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 22:30:01 C:\WINNT\Tasks\At5.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 23:30:01 C:\WINNT\Tasks\At6.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-02 00:30:01 C:\WINNT\Tasks\At7.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-02 01:30:01 C:\WINNT\Tasks\At8.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-02 02:30:01 C:\WINNT\Tasks\At9.job"
- C:\WINNT\system32\3muv3g1p.exe
"2008-04-01 12:00:02 C:\WINNT\Tasks\Time Tracker again.job"
- C:\Documents and Settings\uma\Desktop\Time Tracker.bat
"2008-04-03 10:00:02 C:\WINNT\Tasks\Time Tracker.job"
- C:\Documents and Settings\uma\Desktop\Time Tracker.bat
.
************************************************************************ **

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 16:17:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

******************