I posted an intro earlier today. The reason I am here is...
My lap-top began running very slowly last Tuesday evening, I was using FireFox but IE windows kept popping up and my FireFox windows would all mysteriously disapper; I also noticed that when I booted my computer, at various points while it was loading the windows settings, these black “...\system32\command.com” boxes would flash on the screen and disappear (this is not normal for my computer when I boot up at home – it IS normal when I boot up while connected to the server at the university I work at, but then the boxes stay on the screen long enough for me to read the commands as they appear and are executed).
Various viruses have been identified by the different anti-virus program scans I’ve run over the past few days, but the one that keeps re-appearing (sometimes disappearing from a scan, only to re-appear on the next scan with the same program) is a Virtumonde (Vundo) variant of some sort. Other viruses/spyware have come up as well, but the anti-virus program “fixes” appear to have worked on those.
I left my lap-top with my university's computer centre for all of Thursday afternoon, but as far as I could tell, all they did was run SUPERAntiSpyware - they told me it had picked up a few viruses, but they had given it a "deep clean" (haha!) and everything would now be okay. I took it home, ran SUPERAntiSpyware again and, as you might expect, Vundo was still there. I called the computer centre to tell them and they said I'd have to reformat my HD and re-install everything. I said that would be my very last resort, went searching for solutions, and ended up here!
I followed the instructions in the “Important, read this first” post and ran all the recommended antivirus/spyware programs as well as the specific software fixes for Vundo. The end result is that today, none of my scans are turning up any signs of infection. However, SpyBot Teatimer (which I just installed a few days ago, after the virus problems started) keeps alerting me to some black-listed program trying to make changes to my registry settings, the black “command.com” screens continue to pop up and disappear immediately (~150 ms I would guess) during boot up when windows is “loading your personal settings” (I think that's when it happens), and everything is still running more slowly than usual. I don’t think Vundo is gone – is it possible that it is hiding from the virus scanners somewhere?
Here are the log files for the various virus scans. I will put the combofix and HijackThis log files at the end (so you can find them easily if you'd like to see those first).
I ran Vundofix yesterday when I still had Vundo on my computer (according to at least one AV program), but it didn’t find any Vundo.
LOGS
Log of SpyBot Search & Destroy Scan (Fix log is below)
--- Report generated: 2008-02-14 22:57 ---
Virtumonde: [SBI $FDAA1FF2] Library (File, nothing done)
C:\WINDOWS\system32\ddcca.dll
Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\rdfa
Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\aldd
Virtumonde: [SBI $E7C36CB1] Executable (File, nothing done)
C:\Documents and Settings\me\Local Settings\Temp\removalfile.bat
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2006-10-19 unins000.exe (51.41.0.0)
2008-02-14 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
Log of SpyBot Search & Destroy Fixes:
--- Report generated: 2008-02-14 23:01 ---
Virtumonde: [SBI $FDAA1FF2] Library (File, fixed)
C:\WINDOWS\system32\ddcca.dll
Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\rdfa
Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\aldd
Virtumonde: [SBI $E7C36CB1] Executable (File, fixed)
C:\Documents and Settings\me\Local Settings\Temp\removalfile.bat
Note that SpyBot continued to find virtumonde even after the fixes it logged above (for some reason, there doesn't appear to be a log file of my other SpyBot scans, but I wrote down the one it continued to find):
Virtumonde: [SBI $47E741CD] Settings (Registry key)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
After several scans and fixes, it is now coming up clean.
After I installed SpyBot TeaTimer which gives alerts when a program is trying to make changes to the registry, each time I restarted the computer, it alerted me that a "blacklisted program" was trying to make changes and did I want to allow it or not – I wasn’t sure what to do, but on various reboots I tried allowing them and not allowing them. Here’s the log of that process (each bunch of entries is one reboot):
SpyBot TeaTimer log
2/14/2008 11:00:23 PM Allowed (based on user decision) value "SpybotDeletingB5324" (new data: "command /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup user entry!
2/14/2008 11:00:32 PM Allowed (based on user decision) value "SpybotDeletingD7247" (new data: "cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup user entry!
2/14/2008 11:00:46 PM Allowed (based on user decision) value "SpybotDeletingA5021" (new data: "command /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup global entry!
2/14/2008 11:00:56 PM Allowed (based on user decision) value "SpybotDeletingC7838" (new data: "cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup global entry!
2/14/2008 11:16:20 PM Denied (based on user decision) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/14/2008 11:16:34 PM Denied (based on user decision) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/14/2008 11:16:39 PM Denied (based on user decision) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/14/2008 11:16:42 PM Denied (based on user decision) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/14/2008 11:19:17 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/14/2008 11:19:17 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/15/2008 1:27:18 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/15/2008 1:27:19 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/15/2008 2:14:43 PM Allowed (based on user decision) value "{64236E7F-EBCC-48BD-AF50-9AB92686F49F}" (new data: "") deleted in Browser Helper Object!
2/15/2008 2:43:44 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/15/2008 2:43:45 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/16/2008 8:49:15 AM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 8:49:17 AM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/16/2008 4:28:45 PM Allowed (based on user decision) value "!AVG Anti-Spyware" (new data: ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized") added in System Startup global entry!
2/16/2008 6:59:52 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 6:59:54 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 6:59:54 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 6:59:55 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/16/2008 11:18:07 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 11:18:07 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 11:18:07 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 11:18:08 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry! (my note: the same ones come up every time I reboot)
2/17/2008 1:21:40 AM Allowed (based on user decision) value "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" (new data: "") added in ActiveX Distribution Unit! (my note: Panda controle)
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry! (my note: spybot is no longer detecting Vundo, but still get these blocked registsry changes on boot-up).
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
TrendMicro OfficeScan log:
Log Type: Manual Scan
Date & Time: 2008-02-13 00 - Wednesday (Tues night)
File Name: C:\Documents and Settings\me\LocalSettings\Temporary Internet
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk but could not clean or quarantine the file.
*****
Log Type: Manual Scan - Wednesday (Tues night)
Date & Time: 2008-02-13 00
File Name: C:\DOCUME~1\me\LOCALS~\Temp\jnnimmxh.dll
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk. The file was quarantined.
*****
Log Type: Manual Scan
Date & Time: 2008-02-13 15 - Wednesday
File Name: C:\Documents and Settings\me\Desktop\Software Set-ups & Programs\P2P\TrustyFiles Folders\EvID4226.EXE
Malware Name: HKTL_EVID.AF
Action: OfficeScan detected a security risk but could not clean the file. The file was quarantined.
*****
Log Type: Manual Scan
Date & Time: 2008-02-13 16 - Wednesday
File Name: C:\System Volume Information\_restore{659E39E4-B470-43C9-8AB0-4735A20D0FE1}\RP288\A0055231.EXE
Malware Name: HKTL_EVID.AF
Action: OfficeScan detected a security risk but could not clean the file. The file was quarantined.
*****
Log Type: Real-time Scan
Date & Time: 2008-02-14 00 - Thursday
File Name: C:\Documents and Settings\me\LocalSettings\Temporary Internet Files\Content.IE5\2CZPHDDZ\tr[1]
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk but could not clean or quarantine the file.
*****
Log Type: Real-time Scan
Date & Time: 2008-02-14 00 - Thursday
File Name: C:\DOCUME~1\me\LOCALS~\Temp\ysdnbwqo.dll
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk. The file was quarantined.
*****
All subsequent scans found nothing (“no security threats were found”).
Note: That “TrustyFiles” folder belongs to an old P2P program that I downloaded and paid for (bought a legit license) a few years ago. I only used it for downloading mp3s and I haven’t used it or looked in that folder in over a year. So why would a virus suddenly end up in there?
I also ran TrendMicro online “housecall” scans a couple of times. The first time I tried running it using FireFox (my preferred browser), Internet Explorer windows kept opening up with a page title “crush-counter” and my FireFox browser would shut down. I remembered reading somewhere on the TrendMicro site that I should first disable System Restore and %Windows%\explorer.exe (using Task Manager). After that, the IE pages stopped popping up and my FireFox browser was able to run the housecall online scan. I don’t have a log for that scan, but I wrote down that it found the following:
ADWARE_ADDELETE
SPYWARE_KEYL_ASTLOG
HACKINGTOOLS_MAILPASSVIEW
ADWARE_MEMWATCHER
I selected clean/fix then did another online housecall scan to make sure they were really gone (the keylogger one in particular had me more than a little worried – I have “KeyScrambler” installed so maybe I’m okay?). No threats were detected.
Panda online antivirus scan log (these are all old email messages from a few years ago that I need to keep – not sure how they got infected – does this mean the attached Word documents could be infected?):
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[~0000195.~][ABSTRACT.WPD]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[proposal.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[dexter-peck.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[consent-partI.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[consent-partII.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[Kiefl.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL02542.PMM[~0000529.~][intro3.doc]
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/15/2008 at 02:13 PM
Application Version : 3.9.1008
Core Rules Database Version : 3403
Trace Rules Database Version: 1395
Scan type : Complete Scan
Total Scan Time : 00:40:02
Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 6471
Registry threats detected : 5
File items scanned : 34742
File threats detected : 5
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}
HKCR\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}
HKCR\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}\InprocServer32
HKCR\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}
Adware.Tracking Cookie
C:\Documents and Settings\me\Cookies\me@atdmt[1].txt
Adware.eXact Advertising
C:\PROGRAM FILES\MAIL.COM\MCALERT.EXE
C:\DOCUMENTS AND SETTINGS\me\START MENU\PROGRAMS\MAIL.COM\MAIL.COM ALERT.LNK
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\ACCDD.INI
Note: after this, no more threats detected, although SpyBot continued to report a Virtumonde registry key infection/problem (until the last couple of scans where SpyBot is saying the computer is clean).
I ran AVG Antispyware as well with the computer in safe mode and it didn’t find anything.
Here’s the ComboFix log file. Note that this was run today AFTER all the other scans were coming up clean (but, as I said above, I’m not convinced that the computer is clean).
ComboFix 08-02-17.2 - me 2008-02-17 13:51:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.528 [GMT -4:00]
Running from: C:\Documents and Settings\me\Desktop\Software Set-ups & Programs\computer cleaners\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\9F812CCDB4.dll
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\lwfvryej.ini
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\serauth2.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\taskmgr.com
.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.
2008-02-17 03:34 . 2008-02-17 03:34 <DIR> d-------- C:\Documents and Settings\me.me-NB5\Application Data\SUPERAntiSpyware.com
2008-02-17 00:33 . 2008-02-17 02:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-17 00:33 . 2008-02-17 01:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-17 00:33 . 2008-02-17 01:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-17 00:33 . 2008-02-17 01:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 16:50 . 2008-02-16 16:50 <DIR> d-------- C:\Documents and Settings\me.me-NB5\Application Data\Grisoft
2008-02-16 16:28 . 2008-02-16 16:28 <DIR> d-------- C:\Documents and Settings\me\Application Data\Grisoft
2008-02-16 16:28 . 2008-02-16 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 16:28 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 15:46 . 2008-02-16 15:46 <DIR> d-------- C:\VundoFix Backups
2008-02-16 08:22 . 2008-02-16 08:31 <DIR> d-------- C:\Hijackthis
2008-02-15 13:27 . 2008-02-15 13:27 <DIR> d-------- C:\Documents and Settings\me\Application Data\SUPERAntiSpyware.com
2008-02-14 23:26 . 2008-02-15 12:44 <DIR> d-------- C:\Documents and Settings\me\.housecall6.6
2008-02-14 22:14 . 2008-02-14 22:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 22:14 . 2008-02-14 22:14 3,450 --a------ C:\WINDOWS\unins000.dat
2008-02-14 15:58 . 2008-02-14 21:39 0 --a------ C:\23990098.$$$
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-02-14 14:14 . 2008-02-14 14:16 5,937,408 --a------ C:\WINDOWS\REGBK00.ZIP
2008-02-14 14:13 . 2008-02-14 14:13 26 --a------ C:\WINDOWS\Lic.xxx
2008-02-14 14:12 . 2004-08-03 23:56 146,432 --a------ C:\WINDOWS\R.COM
2008-02-14 14:12 . 2004-08-03 23:56 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-02-14 13:47 . 2008-02-14 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 13:46 . 2008-02-17 03:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 13:46 . 2008-02-14 13:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 13:43 . 2008-02-14 21:18 <DIR> d-------- C:\mwav
2008-02-14 01:07 . 2008-02-14 06:46 <DIR> d-------- C:\Documents and Settings\me\Application Data\HouseCall 6.6
2008-02-14 00:36 . 2008-02-14 13:40 2,191,700 --ahs---- C:\WINDOWS\system32\chfbedqr.ini
2008-02-13 21:53 . 2008-02-13 21:53 <DIR> d-------- C:\Documents and Settings\me\Application Data\Nero
2008-02-13 13:37 . 2008-02-13 23:40 1,024 --a------ C:\.rnd
2008-02-13 13:17 . 2008-02-13 23:47 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-02-13 13:17 . 2008-02-13 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-12 23:04 . 2008-02-12 23:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 23:04 . 2008-02-12 23:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 11:46 . 2008-02-05 11:46 <DIR> d-------- C:\Program Files\MSECache
2008-01-28 15:34 . 2008-01-28 15:34 <DIR> d-------- C:\Program Files\uTorrent
2008-01-28 15:34 . 2008-02-13 19:49 <DIR> d-------- C:\Documents and Settings\me\Application Data\uTorrent
2008-01-28 13:40 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-28 13:38 . 2008-01-28 13:40 <DIR> d-------- C:\WINDOWS\msdownld.tmp
2008-01-28 13:20 . 2008-01-28 13:36 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-22 12:05 . 2008-01-22 12:05 <DIR> d-------- C:\Documents and Settings\me\Application Data\vlc
2008-01-22 12:05 . 2008-01-22 12:05 <DIR> d-------- C:\Documents and Settings\me\Application Data\dvdcss
2008-01-22 12:03 . 2008-01-22 12:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-21 21:32 . 2008-01-21 21:32 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-21 21:32 . 2008-02-17 02:21 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-01-21 13:56 . 2008-01-21 13:56 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-01-21 13:56 . 2008-01-21 13:56 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-01-21 13:56 . 2008-01-21 13:56 1,024 --a------ C:\WINDOWS\system32\clauth2.dll
2008-01-21 13:56 . 2008-01-21 13:56 1,024 --a------ C:\WINDOWS\system32\clauth1.dll
2008-01-21 13:56 . 2008-01-21 13:57 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-01-21 13:56 . 2008-01-21 14:02 16 ---h----- C:\WINDOWS\system32\servdat.slm
2008-01-21 13:56 . 2008-01-21 13:57 14 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-01-21 13:56 . 2008-01-21 13:56 0 --a------ C:\WINDOWS\system32\nsprs.tgz
2008-01-21 13:43 . 2008-02-13 17:31 <DIR> d-------- C:\NALCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 06:28 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-17 06:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-17 06:20 --------- d-----w C:\Program Files\Rainlendar
2008-02-17 06:15 --------- d-----w C:\Program Files\KeyScrambler
2008-02-17 06:10 --------- d-----w C:\Program Files\Apoint
2008-02-15 18:14 --------- d-----w C:\Program Files\mail.com
2008-02-15 02:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 17:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 03:18 --------- d-----w C:\Program Files\CyberLink
2008-02-11 16:58 --------- d-----w C:\Documents and Settings\me\Application Data\CyberLink
2008-01-30 07:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-28 17:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 01:18 --------- d-----w C:\Program Files\SmartFTP Client 2.0 Setup Files
2008-01-22 01:18 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-01-21 18:01 --------- d-----w C:\Program Files\spss14
2007-12-29 14:35 112,992 ----a-w C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-11 23:00 28672 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 08:14 7401472]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56 602182]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-29 21:44 356429]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
C:\Documents and Settings\me\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 08:31:46 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 10:35]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 17:15]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2005-12-09 15:39]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 17:39:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2009-07-02 13:45:14 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4AB48691-D6DA-4F8E-9C68-3D4422888995}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:59:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\TEMP\ZQ30B6.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-02-17 14:01:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 18:01:38
.
2008-02-15 07:01:24 --- E O F ---
And, finally, here is the most recent HijackThis log file:
Logfile of HijackThis v1.99.1
Scan saved at 16:37, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JZC988.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\me\Desktop\Software Set-ups & Programs\computer cleaners\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7838] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5324] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7247] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145051039640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\Software\..\Telephony: DomainName = ad.acadiau.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
[color="#000080"]Is the 020 - Winlogon Notify area normal? I read somewhere that Winlogon processes are one place that Vundo likes to cause problems.
I think that’s everything you asked for. So what do you think? Is Vundo really gone? Are there other viruses hiding somewhere?
Thank-you VERY much for your time!
-Takk
Edited by takk, 17 February 2008 - 06:17 PM.