umonitor infection

Hi
I've been infected with umonitor. After doing some on-line research it looks like there's no easy fix, but so far I've:
Removed C:\Program Files\SED (and the applicable registry entry).
I've just run findit, output file follows. Anyone who can help will be my new GOD!
Thanks

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findit\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5833-2363

Directory of C:\WINNT\System32

13/01/2005 10:26a 224,592 kfd103.dll
13/01/2005 10:23a 224,592 dn6s01j7e.dll
13/01/2005 10:04a 223,232 c8000idme80a0.dll
06/01/2005 02:13p 223,232 tbpmonui.dll
06/01/2005 12:44p 224,892 j0p0la7m1d.dll
5 File(s) 1,120,540 bytes
0 Dir(s) 13,055,973,376 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5833-2363

Directory of C:\WINNT\System32

03/12/2004 04:23p 79,872 taskmgn.exe
28/06/2001 04:45p <DIR> GroupPolicy
1 File(s) 79,872 bytes
1 Dir(s) 13,055,973,376 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 5833-2363

Directory of C:\WINNT\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 5833-2363

Directory of C:\WINNT\System32

13/01/2003 02:57p 589,881 SET2C05.tmp
08/05/2001 08:00a 487,481 OLD2C08.tmp
08/05/2001 08:00a 2,577 CONFIG.TMP
3 File(s) 1,079,939 bytes
0 Dir(s) 13,055,973,376 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2A0D7344-EE3B-4A55-B9EF-5D2391253CA3}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\kfd103.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"PROMon.exe"="PROMon.exe"
"ChkAdmin"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WeatherOnTray"="C:\\Program Files\\Hotbar\\bin\\4.4.5.0\\WeatherOnTray.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Windows Task Manager"="C:\\winnt\\system32\\taskmgn.exe"
"WebRebates0"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\""
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"
"WinTools"="C:\\Program Files\\Common Files\\WinTools\\WToolsA.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Further info: Windows 2000 Pro sp4, P4 1.8Ghz on a Compaq Evo.
Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 11:19:44 AM, on 13/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\winnt\system32\taskmgn.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0C09/bl8.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://BCSYD01:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.smh.com.au/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Task Manager] C:\winnt\system32\taskmgn.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwe...er/dbplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://www.visionap...tiveX/wfica.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.raywhite....60/MSSurVid.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = basiscap.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = basiscap.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = basiscap.com.au

Thanks in advance

#1
ghowell

Posted 12 January 2005 - 06:12 PM

Advertisements

#2
ghowell

Posted 12 January 2005 - 06:19 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us