Cryp_Vundo-15

View previous topic View next topic Go down

Cryp_Vundo-15

Post by CandK on Sun May 24, 2009 7:17 pm

I have a Dell laptop computer that is basically shutting down without warning. I ran trendmicro and got the name of a virus as Cryp_Vundo-15. My removal tool would not remove the problem. Can someone please help? I have malwarebytes, but I cannot get it to run (Iam wondering if the virus has caused this) Please help

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Origin on Sun May 24, 2009 7:18 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by CandK on Sun May 24, 2009 7:26 pm

here is what came up on the notepad:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:10 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\msiexec.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-19\..\Run: [neyutupeki] Rundll32.exe "C:\WINDOWS\system32\zesanido.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [neyutupeki] Rundll32.exe "C:\WINDOWS\system32\zesanido.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: yypkgu.dll bfsrtr.dll
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10333 bytes

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Origin on Sun May 24, 2009 8:44 pm

I see you have Viewpoint software installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint Manager (remove only)
  • Viewpoint Media Player
  • Viewpoint Toolbar
Next, please download ViewpointKiller by Prm753 from [You must be registered and logged in to see this link.].
Save it to a permanent folder (such as C:\ViewpointKiller) and unzip it there.
Open ViewpointKiller, and press the Start button.
A log will be produced in the same folder where you unzipped it to. Please post the contents of that log in your reply.




  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
    O1 - Hosts: 94.232.248.66 antivirprotection.com
    O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll (file missing)
    O4 - HKUS\S-1-5-19\..\Run: [neyutupeki] Rundll32.exe "C:\WINDOWS\system32\zesanido.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [neyutupeki] Rundll32.exe "C:\WINDOWS\system32\zesanido.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: yypkgu.dll bfsrtr.dllO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe




  • Press "Fix Checked"
  • Close Hijack This.




1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by CandK on Mon May 25, 2009 2:09 am

I have followed the steps you suggested above and I cannot get the viepointkiller and the avenger programs to work. I downloaded them to the desktop, but when I click on them the icon highlights, but does not open. I have right clicked and tried it that way as well. All this happens between the times that my computer locks up and I have to do a hard shutdown and then restart. I tried going back to the links in your post and just running the program there, but the computer will still lock up. Help!! what can I do next?

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Origin on Mon May 25, 2009 6:02 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by CandK on Sat May 30, 2009 8:49 pm

Here is what came up when I ran combo fix and the computer restarted. Please let me know what to do next.

ComboFix 09-05-30.03 - Kelly Forson 05/30/2009 16:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.618 [GMT -4:00]
Running from: c:\documents and settings\Kelly Forson\Desktop\Combo-Fix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\sysguard.exe
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\drivers\UACndchtpawuyvkrsk.sys
c:\windows\system32\huverego.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\UACehxexqdktlsuvcb.dll
c:\windows\system32\UACfkhjbaljnvrgrta.dll
c:\windows\system32\UACfmfpavtuqdxkyut.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClysxvvsrvickwtl.dll
c:\windows\system32\UACmtajfjctuylkiij.dat
c:\windows\system32\UACnjwhllwgsxutdkf.log
c:\windows\system32\UACnryvcppdbjcchcr.dll
c:\windows\system32\UACpygsfjmoeygxoue.log
c:\windows\system32\UACyupmyhxpwrgnkqn.log
c:\windows\system32\wbem\proquota.exe

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-30 20:19 . 2008-04-14 00:12 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-30 20:19 . 2008-04-14 00:12 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-24 15:16 . 2009-05-24 15:16 -------- d-----w c:\documents and settings\All Users\Application Data\Playrix Entertainment
2009-05-24 14:14 . 2009-05-24 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\Oberonv1005
2009-05-23 19:48 . 2009-05-23 19:48 4096 ----a-w c:\windows\d3dx.dat
2009-05-23 16:34 . 2009-05-23 16:34 -------- d-----w c:\documents and settings\Kelly Forson\Application Data\Oberonv1002
2009-05-17 04:14 . 2009-05-17 04:14 -------- d-----w c:\documents and settings\Kelly Forson\Application Data\Anabel
2009-05-17 01:23 . 2009-05-23 18:20 -------- d-----w c:\documents and settings\Kelly Forson\Local Settings\Application Data\Oberon Games
2009-05-17 00:51 . 2009-05-17 00:51 -------- d-----w c:\documents and settings\Kelly Forson\Saved Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 19:23 . 2006-04-27 04:40 -------- d-----w c:\program files\Trend Micro
2009-05-24 16:47 . 2007-03-08 22:53 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-17 03:37 . 2006-10-24 16:24 -------- d-----w c:\program files\Oberon Media
2009-04-29 01:56 . 2006-05-18 14:55 6688 -c--a-w c:\documents and settings\Kelly Forson\Application Data\wklnhst.dat
2009-04-21 21:49 . 2009-03-27 05:55 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-02 03:17 . 2007-01-15 23:49 -------- d-----w c:\program files\LimeWire
2009-04-02 02:35 . 2009-04-02 02:35 -------- d-----w c:\program files\New Folder
2009-03-30 12:17 . 2006-05-30 23:18 93024 -c--a-w c:\documents and settings\Kelly Forson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 15:44 . 2005-08-16 09:41 88859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-03 14:19 . 2005-08-16 09:38 37684 -c--a-w c:\windows\system32\emptyregdb.dat
2007-01-11 04:29 . 2009-02-27 14:31 376901 ----a-w c:\program files\Uninstall My Web Search.dll
2009-02-27 19:42 . 2009-02-27 19:41 88 --sha-r c:\windows\system32\1C595AF264.sys
2007-06-23 07:39 . 2006-10-03 23:34 56 -csha-r c:\windows\system32\48FF3A3C5A.sys
2007-05-13 15:17 . 2006-06-15 18:07 88 -csha-r c:\windows\system32\5A3C3AFF48.sys
2009-02-27 19:42 . 2006-06-15 18:07 6580 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Utopia Angel"="c:\utopia\Angel\Angel.exe" [2009-05-18 3594240]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 4670968]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kelly Forson^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Kelly Forson\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RPSUpdaterR"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169790403\\ee\\aolsoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 11:07 AM 28933976]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:47 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:47 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:47 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:47 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:47 PM 262215]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 11:11 AM 10664]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 Radialpoint Security Services;Verizon Internet Security Suite;c:\windows\system32\dllhost.exe [8/10/2004 8:00 AM 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-05-13 c:\windows\Tasks\WebReg Officejet 5600 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-12 04:21]
.
- - - - ORPHANS REMOVED - - - -

BHO-{BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - c:\windows\system32\iehelper.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsms.htm
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-30 16:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* 6*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
Completion time: 2009-05-30 16:25
ComboFix-quarantined-files.txt 2009-05-30 20:24

Pre-Run: 40,642,760,704 bytes free
Post-Run: 40,739,786,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
231 --- E O F --- 2009-03-08 05:04

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Origin on Sat May 30, 2009 8:54 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\1C595AF264.sys
c:\windows\system32\48FF3A3C5A.sys
c:\windows\system32\5A3C3AFF48.sys
c:\program files\Uninstall My Web Search.dll

Folder::
c:\program files\LimeWire

DirLook::
c:\program files\New Folder

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"%windir%\\system32\\drivers\\svchost.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by CandK on Sat May 30, 2009 10:55 pm

Here is the report after the second run of combo fix. Please let me know what I should do next.

ComboFix 09-05-30.03 - Kelly Forson 05/30/2009 18:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.462 [GMT -4:00]
Running from: c:\documents and settings\Kelly Forson\Desktop\Combo-Fix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-30 20:19 . 2008-04-14 00:12 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-30 20:19 . 2008-04-14 00:12 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-24 15:16 . 2009-05-24 15:16 -------- d-----w c:\documents and settings\All Users\Application Data\Playrix Entertainment
2009-05-24 14:14 . 2009-05-24 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\Oberonv1005
2009-05-23 16:34 . 2009-05-23 16:34 -------- d-----w c:\documents and settings\Kelly Forson\Application Data\Oberonv1002
2009-05-17 04:14 . 2009-05-17 04:14 -------- d-----w c:\documents and settings\Kelly Forson\Application Data\Anabel
2009-05-17 01:23 . 2009-05-23 18:20 -------- d-----w c:\documents and settings\Kelly Forson\Local Settings\Application Data\Oberon Games
2009-05-17 00:51 . 2009-05-17 00:51 -------- d-----w c:\documents and settings\Kelly Forson\Saved Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 19:23 . 2006-04-27 04:40 -------- d-----w c:\program files\Trend Micro
2009-05-24 16:47 . 2007-03-08 22:53 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-17 03:37 . 2006-10-24 16:24 -------- d-----w c:\program files\Oberon Media
2009-04-29 01:56 . 2006-05-18 14:55 6688 -c--a-w c:\documents and settings\Kelly Forson\Application Data\wklnhst.dat
2009-04-21 21:49 . 2009-03-27 05:55 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-02 03:17 . 2007-01-15 23:49 -------- d-----w c:\program files\LimeWire
2009-04-02 02:35 . 2009-04-02 02:35 -------- d-----w c:\program files\New Folder
2009-03-30 12:17 . 2006-05-30 23:18 93024 -c--a-w c:\documents and settings\Kelly Forson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 15:44 . 2005-08-16 09:41 88859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-03 14:19 . 2005-08-16 09:38 37684 -c--a-w c:\windows\system32\emptyregdb.dat
2007-01-11 04:29 . 2009-02-27 14:31 376901 ----a-w c:\program files\Uninstall My Web Search.dll
2009-02-27 19:42 . 2006-06-15 18:07 6580 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-30 21:43 . 2009-05-30 21:43 16384 c:\windows\Temp\Perflib_Perfdata_3c0.dat
- 2004-08-10 12:00 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll
+ 2004-08-10 12:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
- 2006-05-03 13:29 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2006-05-03 13:29 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll
+ 2006-05-01 19:57 . 2009-05-30 20:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-01 19:57 . 2009-05-30 19:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-01 19:57 . 2009-05-30 19:29 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-05-01 19:57 . 2009-05-30 20:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-30 20:45 . 2009-05-30 20:49 11282 c:\windows\SoftwareDistribution\EventCache\{E1D0CF0B-3369-4BFB-839E-F7ADAEE8CC43}.bin
+ 2004-08-10 12:00 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
- 2004-08-10 12:00 . 2008-04-14 00:12 155648 c:\windows\system32\wscript.exe
+ 2004-08-10 12:00 . 2008-05-09 10:53 430080 c:\windows\system32\vbscript.dll
+ 2004-08-10 12:00 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll
- 2004-08-10 12:00 . 2008-04-14 00:12 172032 c:\windows\system32\scrrun.dll
- 2004-08-10 12:00 . 2008-04-14 00:12 180224 c:\windows\system32\scrobj.dll
+ 2004-08-10 12:00 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll
- 2004-08-10 12:00 . 2008-04-14 00:11 512000 c:\windows\system32\jscript.dll
+ 2004-08-10 12:00 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
+ 2008-05-08 11:24 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe
+ 2008-05-09 10:53 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-07 09:07 . 2008-05-07 09:07 135168 c:\windows\system32\dllcache\cscript.exe
+ 2004-08-10 12:00 . 2008-05-07 09:07 135168 c:\windows\system32\cscript.exe
+ 2008-12-27 20:23 . 2008-09-10 01:14 1307648 c:\windows\system32\msxml6.dll
+ 2009-03-03 15:18 . 2008-09-10 01:14 1307648 c:\windows\system32\dllcache\msxml6.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Utopia Angel"="c:\utopia\Angel\Angel.exe" [2009-05-18 3594240]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 4670968]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kelly Forson^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Kelly Forson\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RPSUpdaterR"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169790403\\ee\\aolsoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 11:07 AM 28933976]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:47 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:47 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:47 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:47 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:47 PM 262215]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 11:11 AM 10664]
S3 Radialpoint Security Services;Verizon Internet Security Suite;c:\windows\system32\dllhost.exe [8/10/2004 8:00 AM 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-05-13 c:\windows\Tasks\WebReg Officejet 5600 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-12 04:21]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsms.htm
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-30 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* 6*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(672)
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-05-30 18:50
ComboFix-quarantined-files.txt 2009-05-30 22:49
ComboFix2.txt 2009-05-30 21:56
ComboFix3.txt 2009-05-30 20:25

Pre-Run: 41,337,995,264 bytes free
Post-Run: 41,337,937,920 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
210 --- E O F --- 2009-05-30 20:46

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Belahzur on Sat May 30, 2009 10:59 pm

Hello.
I have edited Origins post to include a few more things, and you haven't run Combofix fix right anyhow.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Limewire
  • Viewpoint Manager (remove only)
  • Viewpoint Media Player
  • Viewpoint Toolbar

I have quoted my new script under Origins post.

[You must be registered and logged in to see this link.] wrote:Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\1C595AF264.sys
c:\windows\system32\48FF3A3C5A.sys
c:\windows\system32\5A3C3AFF48.sys
c:\program files\Uninstall My Web Search.dll

Folder::
c:\program files\LimeWire

DirLook::
c:\program files\New Folder

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"%windir%\\system32\\drivers\\svchost.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by CandK on Sun May 31, 2009 3:01 am

Hi there, nice to hear from you again. I have a question on what you have asked me to do, You said to go into add/remove programs and then remove liimewire? That is a file sharing program that I have a lot of music on. What happens if I leave Limewire on. As for the viewpoint items, I did remove them earlier, but I will make a second check to make sure

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Belahzur on Sun May 31, 2009 12:35 pm

Replied to your PM.
Make sure you run the custom made script I put up.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by CandK on Sun May 31, 2009 3:50 pm

I ran the program again with the script that you posted, but I did not get anything to post back here from combofix. Whre will I find a record of the log to post here?

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Belahzur on Sun May 31, 2009 4:20 pm

Okay, we'll use something else.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\1C595AF264.sys
    c:\windows\system32\48FF3A3C5A.sys
    c:\windows\system32\5A3C3AFF48.sys
    c:\program files\Uninstall My Web Search.dll
    c:\program files\LimeWire

    :reg
    [HKLM\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=-
    "%windir%\\system32\\drivers\\svchost.exe"=-


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by CandK on Sun May 31, 2009 4:50 pm

Ok, here is the results from the move it log:

========== FILES ==========
File/Folder c:\windows\system32\1C595AF264.sys not found.
File/Folder c:\windows\system32\48FF3A3C5A.sys not found.
File/Folder c:\windows\system32\5A3C3AFF48.sys not found.
File/Folder c:\program files\Uninstall My Web Search.dll not found.
File/Folder c:\program files\LimeWire not found.
========== REGISTRY ==========
Registry value HKLM\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\Program Files\LimeWire\LimeWire.exe not found.
Registry value HKLM\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\%windir%\system32\drivers\svchost.exe not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05312009_124948

CandK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-05-03
Gender Gender : Male
OS OS : xp
Points Points : 27868
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryp_Vundo-15

Post by Belahzur on Sun May 31, 2009 5:16 pm

Looks like Combofix still did it's job as I wanted it to, OTMoveIt didn't find anything unless you ran it twice.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum