Avast WEBforum

Other => Viruses and worms => Topic started by: oldman on January 11, 2008, 02:56:27 AM

Title: PowerKord 's vundo
Post by: oldman on January 11, 2008, 02:56:27 AM
Hi

Do you have a desktop image that you don't want, or do you have one you placed there?

Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp (http://www.stevengould.org/downloads/cleanup/)



Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {19ED8902-29FA-4C2E-944D-945198BA0EEA} - C:\Program Files\Common Files\nipyC:\WINDOWS\System32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\rqrpmmn.dll
O20 - Winlogon Notify: rqrpmmn - C:\WINDOWS\SYSTEM32\rqrpmmn.dll
 


Close all other browsers/windows, click fix, close HJT.




Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 03:05:34 AM
Hi, oldman,

Thanks so much for your help! If you'd be so kind, please respond to each point, below, as necessary:

1. Below is my newest HJT scan.

2. Below in two separate posts are the results of my newest ComboFix scan.

3. I'm not sure why or what you're asking regarding a desktop image. Are you asking this based on having examined my HJT log? Please be more specific, though I can tell you that presently I have no desktop image set--assuming you mean a standard image like a .jpg or wallpaper. Is this what you refer to?

4. Why do you suggest I run Cleanup? Just to protect my personal privacy, in view of the fact that I'm posting potentially intimate computing information online here?

5. The only one of your instructions I have not followed is your recommendation that I run CleanUp.

6. Why did Avast! Home Edition allow these viruses to enter my system? Does it reveal a weakness in Avast!? Is there a different or competing program that would have detected them, AND prevented them from infecting my system?

7. BTW, while I'm writing you, would you kindly answer a related question? Why does this line appear in my log:

O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe

Is Ardamax running silently on my system?

Thanks so much, and I await your further instruction. Bear in mind, as well, that as I wrote in my initial posting, my system is apparently also infected with SmitFraud-C.CoreService. I have included that posting for your convenience at the end of this posting; it contains add'l detail regarding my initial efforts to rid myself of both these viruses.

Regards,

vince

----------------------------------------------
ORIGINAL POSTING IN THIS FORUM

View Profile Email
   
   
Re: Win32:TratBHO Wont go away!...help
« Reply #15 on: Yesterday at 10:27:59 PM »
   Reply with quoteQuote Modify messageModify
Hello, oldman,

I also have a problem with WIN32:TratBHO (as well as SmitFraud-C.CoreService).

Upon detection by Avast!, I tried to delete the .dll file from within Avast!; the file name was awvvu.dll. I next got a series of Windows error messages indicating cannot find file, so apparently the file was deleted, though that did not solve the problem.

I ran SpyBot S & D, which did not seem to pick up the virus, but did flag SmitFraud-C.CoreService. Are the two related? I authorized SSD to scan upon boot to remove SmitFraud, but the boot scan took a long time and eventually stopped responding, so I killed it. I still have the SmitFraud.

I then looked for the .dll file itself in System32 but it was not there. What was there, however, was awvvu.exe, which I manually deleted. However, the virus appears to have created a new .dll, because Avast! is now detecting the virus in a different .dll file: iiigd.dll.

(About an hour later Avast! has just flagged another infected file in System32:  geefd.dll, and after removing it to the Avast! virus chest, yet another file was flagged: khhgh.dll. These last two files had not yet been flagged, and perhaps did not yet exist, at the time I created my HJT log, below.)
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 03:06:49 AM
admin - pls delete this post
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 03:07:56 AM
admin - pls delete this post
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 03:09:20 AM
admin - pls delete this post
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 03:10:40 AM
admin - pls delete this post
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 04:07:59 AM
NEWEST HJT LOG

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {19ED8902-29FA-4C2E-944D-945198BA0EEA} - C:\Program Files\Common Files\nipyC:\WINDOWS\System32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\rqrpmmn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 205.208.227.13 205.208.227.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: rqrpmmn - C:\WINDOWS\SYSTEM32\rqrpmmn.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 5736 bytes
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 05:08:12 AM
NEWEST COMBOFIX LOG - PART I


ComboFix 08-01-10.2 - Vincent Christopher 2008-01-10 22:14:23.2 - NTFSx86
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-11 to 2008-01-11  )))))))))))))))))))))))))))))))
.

2008-01-10 22:22 . 2008-01-10 22:22   <DIR>   d--------   C:\TEMP\tn3
2008-01-10 22:21 . 2008-01-10 22:21   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:09 . 2008-01-09 22:09   493,170   --a------   C:\TEMP\liHco0109.exe
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\TEMP\Ryuan1
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-27 06:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-11 03:21:48   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 11, 2008, 05:09:12 AM
NEWEST COMBOFIX LOG - PART II


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 22:22:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-10 22:27:31 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-11 03:27:24
ComboFix2.txt  2008-01-11 01:42:07
Title: Re: PowerKord 's vundo
Post by: oldman on January 11, 2008, 06:29:16 AM
1. Below is my newest HJT scan.

Did you fix the lines as requested? The log looks the same. Did you run it after you ran combofix?

2. Below in two separate posts are the results of my newest ComboFix scan.

I need the results from the first run also. You can find it at C:\combofix under ComboFix-quarantined-files.txt  It will be Combofix1.txt

3. I'm not sure why or what you're asking regarding a desktop image. Are you asking this based on having examined my HJT log? Please be more specific, though I can tell you that presently I have no desktop image set--assuming you mean a standard image like a .jpg or wallpaper. Is this what you refer to?

It's the 024 line in your HJT. Some people have images as a desktop component that they put there themselves, so I ask before removing it.

4. Why do you suggest I run Cleanup? Just to protect my personal privacy, in view of the fact that I'm posting potentially intimate computing information online here?

To clean out the temp folder, places this crude likes to hide.

5. The only one of your instructions I have not followed is your recommendation that I run CleanUp.

6. Why did Avast! Home Edition allow these viruses to enter my system? Does it reveal a weakness in Avast!? Is there a different or competing program that would have detected them, AND prevented them from infecting my system?

No av will catch it all. Some have better detection than others. Right now I'm looking at threads with norton, mcafee some with the same problem.


Thanks so much, and I await your further instruction. Bear in mind, as well, that as I wrote in my initial posting, my system is apparently also infected with SmitFraud-C.CoreService. I have included that posting for your convenience at the end of this posting; it contains add'l detail regarding my initial efforts to rid myself of both these viruses.

Yes I saw that and want to be certain we need smitfraudfix.




Please submit the following files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\System32\DRIVERS\MADFU804.sys
C:\WINDOWS\System32\drivers\mrxsmbb.sys
C:\Documents and Settings\Vincent Christopher\us145info.exe
C:\WINDOWS\crmtemp1.dat
 


scroll down a bit and click "send file", wait for the results and post then in your next reply.

Rerun HJT and post the log. The files referenced in HJT are not in the combofix log.

Thanks
Title: Re: PowerKord 's vundo
Post by: siyete on January 11, 2008, 02:26:01 PM
hello old man,
can u help me resolve my wind32 bhd kd prob?.. my forum topic is:
http://forum.avast.com/index.php?topic=32589.0

i would really appreciate uyour help thx...
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 12, 2008, 02:11:31 AM
Hi,

1. My Avast! icon no longer appears in my system tray! I can't really tell if the program is running or not. What happened, and what should I do? The program is still listed in Add/Remove Programs.

2. I don't seem to be getting the symptom of the infection I was getting before: my browser/Windows kept trying to log on, but that's not happening anymore with SeaMonkey or FireFox, though I haven't brought IE up in about 24 hours. Still, the logon attempts were occurring before, even when IE was not open.

Should I launch IE to see what happens?

3. Re a desktop image, I have none set now, though I have in the past. I don't know what that clip image refers to.

4. Re the files to scan with virustotal:

C:\WINDOWS\System32\DRIVERS\MADFU804.sys - this file is apparently no longer present on my system.

mrxsmbb.sys - virustotal reports 0 bytes rec'd. Did not scan.

C:\Documents and Settings\Vincent Christopher\us145info.exe - also reports 0 bytes rec'd. Did not scan.

C:\WINDOWS\crmtemp1.dat - Scanned. No problems reported by any scanner.

5. I did another ComboFix scan, then another HJT scan, in that order. Results below.

You indicated you needed to see my first CF scan. However, there is no path on my system C:\combofix. There is C:\QooBox, and contained there is a .txt file called ComboFix-quarantined-files.txt, printed below. There is no folder with that name, nor is there any document combofix1.txt, only combofix2.txt.

ComboFix-quarantined-files.txt:

2004-08-15 03:12      1074    --a------    C:\Qoobox\Quarantine\C\WINDOWS\inf\ultra.inf.vir
2004-08-15 03:12      143    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\Vincent Christopher\Application Data\ultra\uninstall.bat.vir
2007-04-16 09:39      1100654    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\Vincent Christopher\Application Data\Install.dat.vir
2007-09-23 20:05      279600    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2008-01-09 00:44      28747    --a------    C:\Qoobox\Quarantine\C\TEMP\1cb\syscheck.log.vir
2008-01-09 22:01      41472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrpmmn.dll.vir
2008-01-09 22:06      41472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkkjif.dll.vir
2008-01-10 01:33      340480    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\RCX18.tmp.vir
2008-01-10 05:34      410112    --a------    C:\Qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe.vir
2008-01-10 05:34      456192    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd.exe.vir
2008-01-10 05:34      497152    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxtray.exe.vir
2008-01-10 05:35      13312    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ctfmon .exe.vir
2008-01-10 05:35      340480    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\RCX19.tmp.vir
2008-01-10 05:35      373248    --a------    C:\Qoobox\Quarantine\C\Program Files\Java\j2re1.4.2_01\bin\jusched.exe.vir
2008-01-10 05:35      373248    --a------    C:\Qoobox\Quarantine\C\Program Files\ThinkPad\Utilities\TpKmapMn.exe.vir
2008-01-10 05:35      446464    --a------    C:\Qoobox\Quarantine\C\Program Files\Alwil Software\Avast4\ashDisp.exe.vir
2008-01-10 07:17      7323    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uvvwa.ini.vir
2008-01-10 07:17      7323    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uvvwa.ini2.vir
2008-01-10 07:26      69632    --a------    C:\Qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe.vir
2008-01-10 07:27      79224    --a------    C:\Qoobox\Quarantine\C\Program Files\Alwil Software\Avast4\ashDisp .exe.vir
2008-01-10 20:33      197182    --a------    C:\Qoobox\Quarantine\catchme2008-01-10_203650.86.zip
2008-01-10 20:35      932    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2008-01-10 22:19      188    --a------    C:\Qoobox\Quarantine\catchme2008-01-10_222211.94.zip
2008-01-10 22:19      2012    --a------    C:\Qoobox\Quarantine\C\ComboFix\errdbg.dat.vir
2008-01-10 22:19      656    --a------    C:\Qoobox\Quarantine\catchme.log

6. Before doing any of the above, I performed a CleanUp scan.

Thanks, again. I await your further instruction. We also have yet to address my SmitFraud issue.

Best,

vince
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 12, 2008, 02:15:48 AM

LATEST CF SCAN -- 01-11-08

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-11 18:34:59.3 - NTFSx86
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-11 to 2008-01-11  )))))))))))))))))))))))))))))))
.

2008-01-11 18:44 . 2008-01-11 18:44   <DIR>   d--------   C:\TEMP\tn3
2008-01-11 18:42 . 2008-01-11 18:42   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-27 06:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-11 23:43:25   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 18:44:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-11 18:49:34 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-11 23:49:27
ComboFix2.txt  2008-01-11 03:27:31
ComboFix3.txt  2008-01-11 01:42:07
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 12, 2008, 02:17:04 AM
LATEST HJT SCAN -- 01-11-08


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:19 PM, on 1/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\nakido.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 205.208.227.13 205.208.227.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 4969 bytes
Title: Re: PowerKord 's vundo
Post by: oldman on January 12, 2008, 02:35:33 AM
Ok, that's what I was looking for. BYTW, you can attach logs by using the extra options button on the reply page.

According to the logs avast is running. For now make a short cut to your desktop, In windows explorer go to this folder

c:\program files\alwil software\avast4

in the right panel right click on ashdisp.exe, select send to, desktop(create shortcut). you will now have a icon on your desktop, double click it and the "a" icon should appear.

We'll do this first, then we will look closer at  service I don't like.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
Killall::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\TEMP\liHco0109.exe


Folder::
C:\TEMP\tn3
C:\TEMP\Ryuan1

Look::
C:\WINDOWS\system32\vt8



This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply


Title: Re: PowerKord 's vundo
Post by: PowerKord on January 12, 2008, 05:45:57 AM
Hello, oldman,

Ok, I performed the requested drag and drop. The result is below, in this post.

BTW, I'm wondering why Ardamax Keylogger is running. I installed it a long time ago but recall a problem; could it still be hanging around from my own installation. I'd like to uninstall or remove it.

Here is the CF result:

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-11 22:16:30.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.180 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vincent Christopher\Desktop\CFscript.txt
 * Created a new restore point

FILE
C:\TEMP\liHco0109.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-12 to 2008-01-12  )))))))))))))))))))))))))))))))
.

2008-01-11 22:25 . 2008-01-11 22:25   <DIR>   d--------   C:\TEMP\tn3
2008-01-11 22:24 . 2008-01-11 22:24   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-27 06:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 03:15:57   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 03:15:57   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 03:15:59   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 03:15:59   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 01:26:44   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 03:15:59   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 01:26:44   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 03:16:00   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 01:26:58   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 03:16:16   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 03:25:24   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5f4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 22:26:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-11 22:31:37 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-12 03:31:30
ComboFix2.txt  2008-01-11 23:49:35
ComboFix3.txt  2008-01-11 03:27:31
ComboFix4.txt  2008-01-11 01:42:07
Title: Re: PowerKord 's vundo
Post by: oldman on January 12, 2008, 05:53:21 AM
Hi PowerKord

How's it going? I was just replying to you regarding the avast icon and saw your post.

I don't know why the keylogger is running, go ahead and uninstall it if you wish.

I can not find the missing file C:\WINDOWS\System32\DRIVERS\MADFU804.sys in the removed files. However ashdisp was there as infected. I fear you may have also been hit with a nasty vundo variant, which attacks exe. Generally, combofic can repair them. If not, a section will appear in the logs and they can be repaired on the next run with the proper command.

Since you ran combofix twice before I saw the log, that option may be gone. But we can try before we search for smitfraud.





Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
RENV::
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C\WINDOWS\system32\ctfmon .exe
C\Program Files\Alwil Software\Avast4\ashDisp.exe



This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.


A little info on the files, remember only the exe was removed not the entire folder, so if you can, you could restore just the exe to he path shown and the program should work

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

related to thinkpad, you might be able to recover it from a disk,
C\WINDOWS\system32\ctfmon .exe

MS office xp language bar, only important if you use it, again get the exe from the disk.

C\Program Files\Alwil Software\Avast4\ashDisp.exe

avast icon, a repair of avast should replace it,,,add/remove programs, uninstall, scroll down to repair

Your choice of doing the comboscript and hoping the info is still there or just replacing the files. Let me know what you are going to do.





Title: Re: PowerKord 's vundo
Post by: oldman on January 12, 2008, 06:12:43 AM
Hey, I should have added the other exe where repaired, so don't worry about them.  ;D
Title: Re: PowerKord 's vundo
Post by: oldman on January 12, 2008, 07:52:05 AM
I waited for you to reply in regards to your choice in trying to restore the 3 exe files. As I mentioned, they are easily restore by other means.

The vundo for the most part is gone. The one service may or may not be vundo. We may as well do a search for smitfraud, the service could be related. We'll see when you post your results.

Please do the following before proceding. You can post all 3 at the same time.

@echo off
dir "C:\WINDOWS\system32\vt8" >> look.txt
start look.txt


save it to your desktop, name it look.bat, and set the file type as all files  click ok  You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.


@echo off
dir "C:\WINDOWS\system32\edcA01" >> look1.txt
start look1.txt


save it to your desktop, name it look1.bat, and set the file type as all files  click ok  You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Please download SmitfraudFix (by S!Ri) to your Desktop.
Download this ptool from: http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply as an attachment. The report can be found at the root of the system drive, usually at C:\rapport.txt

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool";
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 12, 2008, 08:47:14 AM
Here's the CF log after plugging in your latest changes:

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-12  1:10:50.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.170 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vincent Christopher\Desktop\CFscript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-12 to 2008-01-12  )))))))))))))))))))))))))))))))
.

2008-01-12 01:19 . 2008-01-12 01:19   <DIR>   d--------   C:\TEMP\tn3
2008-01-11 22:24 . 2008-01-12 01:18   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 05:48   ---------   d-----w   C:\Program Files\Yahoo!
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 06:10:41   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 06:10:41   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 06:10:43   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 06:10:43   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 01:26:44   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 06:10:43   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 01:26:44   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 06:10:43   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 01:26:58   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 03:16:16   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2008-01-11 01:36:23   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
+ 2008-01-12 06:19:21   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 01:20:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-12  1:25:22 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-12 06:25:15
ComboFix2.txt  2008-01-12 03:31:37
ComboFix3.txt  2008-01-11 23:49:35
ComboFix4.txt  2008-01-11 03:27:31
ComboFix5.txt  2008-01-11 01:42:07
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 12, 2008, 08:51:16 AM
Hi, oldman,

You requested:

----------------------
Please do the following before proceding. You can post all 3 at the same time.

@echo off
dir "C:\WINDOWS\system32\vt8" >> look.txt
start look.txt

save it to your desktop, name it look.bat, and set the file type as all files 
----------------------

What exactly should I do with this code? Not clear to me.

Regards,

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 12, 2008, 09:01:42 AM
Sorry, so much for my canned post.  ???

It should be

Copy and paste into a new notepad the following

@echo off
dir "C:\WINDOWS\system32\vt8" >> look.txt
start look.txt


save it to your desktop, name it look.bat, and set the file type as all files 

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Please do the same with the other. then run smitfraud option 1
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 12, 2008, 11:07:14 PM
Hi,

I'm again experiencing virus symptoms--popup windows appearing while I'm surfing, perhaps every 20 minutes or so. They seem to center somewhat around setthetrend.com. The windows that appear are only IE windows, I believe, regardless of whatever browser I'm using at the time.

Attached are the three latest requested files.

God I appreciate this help!

Regards,

vince

Title: Re: PowerKord 's vundo
Post by: oldman on January 13, 2008, 02:19:09 AM
Ok, your smitfraud log was clean.

Do you have an xp disk or do you have the recovery console installed on your computer?

Let's try to disable that service.

Click the Start button, then click Run.  In the empty field type services.msc and click OK.

In the window that opens locate mrxsmbb and double clcik it.  On the General Tab find the section titled Startup Type.  Drop that down and select Disabled.  Click OK

Reboot your computer, navigate to C:\WINDOWS\System32\drivers\mrxsmbb.sys  and rename it the file to mrxsmbb.vir.  Now upload it to Virus Total and let's see what we get.

You may have to show hidden files and folders


At the top of windows explorer, click tools, folder options, click the
view tab

 check Show hidden files and folders
 uncheck "Hide extensions for known file types" box
 uncheck "Hide protecting operating system files" box




We'll try to yank as much of this out as we can.


Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.





Quote

Files to delete:
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\Vincent Christopher\us145info.exe

Folders to delete:
C:\TEMP\tn3
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\edcA01




Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.3. The Avenger will automatically do the following:4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log  
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 13, 2008, 09:13:46 PM
Hello,

In the requested window I don't see any listing, on either tab, for mrxsmbb.

Also, why is it that when I clicked that window shut by clicking its close box in its upper right hand corner, my browser closed, as well?

Should I simply proceed with the Avenger instructions?

Thanks.

Best,

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 13, 2008, 10:59:59 PM
Hello,

In the requested window I don't see any listing, on either tab, for mrxsmbb.

I've ran into that before, which is why I asked if you had xp cds or the recovery console installed. We wwill have to go that route to disable the sevice.


Quote
Also, why is it that when I clicked that window shut by clicking its close box in its upper right hand corner, my browser closed, as well?

Not sure, unless in windows infinate wisdom, it's relating that window with a browser.


Quote
Should I simply proceed with the Avenger instructions?

Yes. the folders, each have at least one BHO vundo in them.

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 13, 2008, 11:11:22 PM
Hi,

What service are we trying to delete/disable?

Also, is it possible to give me the instructions to perform this now, before I execute the Avenger instructions, that way I can do it all in one sequence? Because as you know, every time I perform a sequence I have to close all the apps and documents I'm presently using.

If so, let me know whether I should disable the service first or execute Avenger first.

Thanks much, again.

Yours,

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 13, 2008, 11:40:47 PM
Try to disable the service first and rename the file. You can report everthing after you are finished.

But first, let's find out which reg keys are involved.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 
 
Quote
RegSearch Options File 
 
[Search] 

mrxsmbb.sys


[Exclude] 
 

[Options] 
Filter=KVDLUI
 

2. Download Registry Search (http://www.bleepingcomputer.com/files/steelwerx/regsearch.zip) to your desktop.


These are the instructions for getting to the recovery console with the disks

-Start your computer with the Windows Setup floppy disks or with the Windows CD-ROM.
-At the 'Welcome to Setup' screen, press F10 or press R.
You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
-Select the appropriate number for the Windows installation that you want to repair.
-Type the administrator password and press Enter. If the administrator password does not exist, just press Enter.


When doing this, any thing you see in curly brackets {} means an action, for example {space} means 1 space and {enter} means enter key

From the recovery console at the command prompt type the following

listsvc{enter}
disable{space}mrxsmbb{enter}
ren{space}C:\WINDOWS\System32\drivers\mrxsmbb.sys{space}mrxsmbb.vir{enter}

restart your computer.

The first command gives you a list of services, you can confirm the name from this list.
The second will disable it and the thrird will rename the file we want to test.

when you enter the disable command, windows will show you the current start type for the service, before changing it. Please make a note of it.



-After the file has been renamed, type exit to leave the recovery console, remove the Windows Setup floppy or Windows CD-ROM and restart the system normally.


After you reboot you will have to find the file so you can submit it to virustotal. Use the search function to find the file mrxsmbb.vir


.
I know it seems like a lot, just take your time and do it one step at a time.  8)

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 14, 2008, 08:18:12 AM
Hi, oldman,

You know, this was a really bad time to catch these virii and have to do all this technical work on my computer, as my 80 yo dad is in increasingly poor health, which itself is extremely stressful and time consuming.

Is there not an automated solution, like one or more pieces of software I can run, to resolve all this?

The only symptom I'm getting presently is a large popup window opening up sometimes while browsing.

I say this knowing and appreciating that your manual, hand-on diagnostic approach is the most system-specific and therefore the best.

Just curious.

Warmly,

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 14, 2008, 09:46:09 AM
First, sorry about your father, was there myself a few years ago.

If there was, I'd definately be using it. Do the avenger, those are the ones I think could be the cause of more problems. The service may be protecting them or it may just be protecting itself. We can deal with it after.

Take care.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 15, 2008, 06:12:56 AM
Hey,

Thanks for your expression of compassion re my father. Hope your experience wasn't too trying, or if it was, I hope it somehow led to a better and higher truth, level of understanding, or expression of love between you.

Here is the Avenger Log, followed by a new HJT log. BTW, any way to easily remove the remnant/s of Ardamax Keylogger Lite from my system? It's not listed in Add/Remove programs, but as you can see from the HJT log, it appears to be running, right?

And is there any way to tell if it's been sending my data to a server? Thanks.

Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uehvytxh

*******************

Script file located at: \??\C:\uoyavgtr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\core.cache.dsk deleted successfully.
File C:\Documents and Settings\Vincent Christopher\us145info.exe deleted successfully.
Folder C:\TEMP\tn3 deleted successfully.
Folder C:\WINDOWS\system32\vt8 deleted successfully.
Folder C:\WINDOWS\system32\ob3 deleted successfully.
Folder C:\WINDOWS\system32\nz0 deleted successfully.
Folder C:\WINDOWS\system32\che9 deleted successfully.
Folder C:\WINDOWS\system32\mp2 deleted successfully.
Folder C:\WINDOWS\system32\edcA01 deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:49 AM, on 1/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\nakido.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 5137 bytes
Title: Re: PowerKord 's vundo
Post by: oldman on January 16, 2008, 09:01:32 PM
Well I don't know If I achieved all that, but I do know know, that no matter how painful, stressful it was at the time, I'm glad I was there.

Now on a brighter note, how is your computer? When you get a chance check out that other file please.

I hope you are not reading too much into "close all other applications". It just means any windows, browser you may have opened or minimized. Just in case of a reboot, windows won't have to try to close them for you.


The keylogger is designed for steath, so you probably won't find it in add/remove.

There are manual removal instructions, forget about the link to the removal tool, it's a link to spyware doctor and the free version will only detect it.

http://www.2-spyware.com/remove-ardamax-keylogger.html

Spyware Doctor is supposed to work, but it's not free. Spybot or superantispyware may work and they are free. I'd suggest giving SAS a shot. note sas may find the combofix/avenger files.

I'll you you the instructions

Download  superantispyware (http://www.superantispyware.com/)

First update SAS Then boot into safe mode.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- CHECK ALL BOXES




Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked.

If you fix this line in HJT, it shouldn't start at startup. I can't tell if it's sending any info or not.

O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe

If you arre sure about that 024 line you can fix it also.

Sorry for the delay, a bit under the weather.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 18, 2008, 12:20:35 PM
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 1/18/2008 6:07:03 AM for strings:
;  'mrxsmbb.sys'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data 
; HKEY_LOCAL_MACHINE  HKEY_USERS 


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mrxsmbb]
"ImagePath"="System32\\drivers\\mrxsmbb.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mrxsmbb]
"ImagePath"="System32\\drivers\\mrxsmbb.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmbb]
"ImagePath"="System32\\drivers\\mrxsmbb.sys"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\drivers\\mrxsmbb.sys"

; End Of The Log...

--------------------------------------
I also ran SUPERAntiSpyware.

Now, re the procedure involving my Windows Setup floppy or Windows CD-ROM -- my ThinkPad came with none. For system re-installs all data is contained on a specially partitioned section of my hard drive; at startup I press F10 to call it up. I did so just now but it gives me just two options: full reformat with new install, and one other option I can't recall right now but it was not a repair option.

Please advise.

I also fixed/deleted the HJT line for Ardamax, the line for the desktop clip art, and one other line that apparently did not belong there. Last, I also deleted a line containing some sort of file-sharing program...nakido.exe or something like that? Just curious as to why you did not mention some of these other errant lines to me.

Last, you advised me to "check out that other file..." Which one? Did I do it already?

Thanks, and I await your further instruction on all of this.

vince

LATEST HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:49 AM, on 1/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 4750 bytes
Title: Re: PowerKord 's vundo
Post by: oldman on January 18, 2008, 05:56:09 PM
This is the file I'm concerned about C:\WINDOWS\System32\drivers\mrxsmbb.sys It's a play on mrxsmb.sys which is a valid MS file.

I'll try to find a way to safely disable the service so we can check out the file.

The recovery console is one way, but you don't appear to have one. I'll get back to you.


How is everything else?

Both nakido.exe  and the keylogger are valid program/processes. Neither will install without your knowledge, so no need to suspect them. You installed the key logger yourself.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 18, 2008, 11:39:57 PM
Hi, oldman,

(BTW, I'd be pleased to address you by your actual first name if you'd care to provide it. I'm assuming it's not "oldman"; though please forgive me if it is.)

I just searched my system and did find the file in question, in the location you specify. It's listed as an 84KB system file.

I deleted nakido.exe about 24 hours ago using HJT; you say it's valid but I did not bring it onto my system. Isn't it likely it came onboard stealthily?

Re the keylogger, I did install it some time ago, but from what I recall it didn't work properly and now I find it's apparently still running. I think it's gone now, though; would you concur?

BTW, I'm still getting these popups appearing. I just did a little test: it seems that whenever I perform a Google search from FireFox--but not SeaMonkey--a popup window appears. Is this a good clue?

Last, again, when you request that I "check out that other file..." do you refer to the file in question mentioned above, that we've been discussing?

Best,

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 20, 2008, 04:47:19 AM
Hi PowerKord , I've been called oldman for so long, I probably won't answer to anythind else. I even get birthday cards, Christmas presents etc,addressed to oldman.

Did SAS report removing ardamax? Fixing the line in HJT should prevent it from starting on startup.

As far as Nakido, as mentioned before, it is added by choice, quote from Bleeping Computers

"Added by the Nakido file sharing software. This software allows you to share files with other people on the Nakido network."

I don't know if you do any file sharing, but if you do, then perhaps its a requirement of that site.

It should appear in add/remove as Nakido. Again nothing sneaky about it.


Last I checked, you are one of 3 people in the world that has posted a log and own that file/driver. I've requested advice on the best way to diasble this service for investigation.
The best is via the recovery consle, but OEMs don;t have that feature.

I haven't forgotten about you.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 20, 2008, 08:59:22 AM
Hi,

1. SAS did not even find Ardamax.

2. Is the presence of this bogus driver file on my system the reason I'm still getting popup windows? Is the virus contained in that one file?

Thanks.

Regards,

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 20, 2008, 09:22:31 AM
Hi,

1. SAS did not even find Ardamax.

2. Is the presence of this bogus driver file on my system the reason I'm still getting popup windows? Is the virus contained in that one file?


You are going to have to take care of the keylogger manually I suppose. I'll check with some other and see if they know of an easy way.

I'mm 99% sure that it's bogus, it's that 1% that makes me reluctant to go after it destructively. If it's what I suspect, it's a downloader, so it's downloading the odd bug. Sorry.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 20, 2008, 02:21:49 PM
Hi,

>>>If it's what I suspect, it's a downloader, so it's downloading the odd bug.

1. Please explain!

2. And what did mean exactly when you said I was only one of three people to have this file? Is it some kind of very rare virus, or rare method of infection?

3. what do I do about it?

Thanks!

vince

Title: Re: PowerKord 's vundo
Post by: oldman on January 20, 2008, 07:26:29 PM
I think that it's may be a trojan that goes by, well one name anyway, cutwail. I'm only basing this on it's behavior. It's not that it's rare, the name it's using is rare. I found only your log and 2 others when searching for that name.

There have been two cases on this forum recently, one I worked on and one other later. Both times the recovery console was used to disable the service so the file could be confirmed as infected.

Just hang on a solution to the recovery console is at hand.  :)

Please delete the copy of combofix.exe you have now. Download and run a new copy. Please post the new log. We want to be as clean as possible before we move on. We are close.

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 20, 2008, 11:20:15 PM
So merely deleting that one file manually won't do it? What will happen--it will recreate itself elsewhere on my system?
Title: Re: PowerKord 's vundo
Post by: Lisandro on January 20, 2008, 11:22:46 PM
it will recreate itself elsewhere on my system?
Yes... it's quite simple for a trojan to do so...
Title: Re: PowerKord 's vundo
Post by: oldman on January 20, 2008, 11:31:33 PM
So merely deleting that one file manually won't do it? What will happen--it will recreate itself elsewhere on my system?

Problem being right now, If you can't rename it, you can't delete it. I had you try renaming it all ready and you got an access denied.

Anyway go ahead and get the new combofix and we'll carry on.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 21, 2008, 04:55:12 AM
ComboFix 08-01-20.1 - Vincent Christopher 2008-01-20 21:56:03.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.187 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-21 to 2008-01-21  )))))))))))))))))))))))))))))))
.

2008-01-20 22:05 . 2008-01-20 22:05   <DIR>   d--------   C:\TEMP\tn3
2008-01-20 22:03 . 2008-01-20 22:03   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-18 01:51 . 2008-01-18 01:51   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-18 01:30 . 2008-01-18 01:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 01:29 . 2008-01-18 01:54   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-18 01:29 . 2008-01-18 01:29   <DIR>   d--------   C:\Documents and Settings\Vincent Christopher\Application Data\SUPERAntiSpyware.com
2008-01-18 01:25 . 2008-01-18 01:25   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 17:18 . 2008-01-12 17:18   2,338   --a------   C:\WINDOWS\system32\tmp.reg
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 21:22   ---------   d-----w   C:\Program Files\NoteTab Pro
2008-01-12 05:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 02:55:38   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 02:55:38   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 02:55:38   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 02:55:38   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 01:26:44   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-21 02:55:40   6,295,552   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-11 01:26:44   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 02:55:40   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2006-02-13 10:16:39   155,702   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\bcicon.exe
+ 2008-01-18 06:13:43   155,702   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\bcicon.exe
- 2006-02-13 10:16:39   34,304   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-01-18 06:13:43   34,304   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2006-02-13 10:16:39   8,192   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-01-18 06:13:43   8,192   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2006-02-13 10:16:40   3,584   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-01-18 06:13:43   3,584   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2006-02-13 10:16:40   114,688   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-01-18 06:13:43   114,688   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2006-02-13 10:16:39   16,384   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-01-18 06:13:43   16,384   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2006-02-13 10:16:39   12,800   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\pubs.exe
+ 2008-01-18 06:13:43   12,800   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\pubs.exe
- 2006-02-13 10:16:40   22,528   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-01-18 06:13:43   22,528   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2006-02-13 10:16:39   45,056   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-01-18 06:13:43   45,056   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2006-02-13 10:16:39   90,112   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-01-18 06:13:43   90,112   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-01-18 06:29:52   29,696   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-18 06:29:52   18,944   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-18 06:29:52   65,024   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-01-11 01:26:58   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-21 02:55:56   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-21 03:04:32   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat
.
-- Snapshot reset to current date --
.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 21, 2008, 04:56:09 AM
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29 114688]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08 2266712]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []
S4 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 22:05:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-20 22:10:24 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-21 03:10:16
ComboFix2.txt  2008-01-12 06:25:22
ComboFix3.txt  2008-01-12 03:31:37
ComboFix4.txt  2008-01-11 23:49:35
ComboFix5.txt  2008-01-11 03:27:31
Title: Re: PowerKord 's vundo
Post by: oldman on January 21, 2008, 05:13:50 AM
It looks like two files are back, so since we got them with avenger last time we'll use it again.

Quote
files to delete:
C:\TEMP\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\tmp.reg

Use avenger like you did last time, with the above quote box and please post the results.

Thanks to sUBs, we have a way of installing the control consle on your computer.

Take care of this and I'll get the instructions up for installing the console.

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 21, 2008, 06:23:31 AM
Hi, oldman,

Below is the result of the Avenger scan, followed by a new HJT scan.

Now what exactly is this console you refer to? Is it something that, once installed, becomes a part of Windows, and cannot be removed later? Or can it be cleanly removed?

AVENGER SCAN

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vhrolwof

*******************

Script file located at: \??\C:\WINDOWS\System32\sbbngbth.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Error: C:\TEMP\tn3 is a folder, not a file!
Deletion of file C:\TEMP\tn3 failed!

Could not process line:
C:\TEMP\tn3
Status: 0xc00000ba

File C:\WINDOWS\system32\drivers\core.cache.dsk deleted successfully.
File C:\WINDOWS\system32\tmp.reg deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 21, 2008, 06:25:43 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:59 AM, on 1/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 4711 bytes
Title: Re: PowerKord 's vundo
Post by: oldman on January 21, 2008, 06:40:11 AM
The recovery console is a utility that is part of xp, but only if it's retail. It is not installed by default when the OS is installed, though in my opinion should be.

It allows repairs to be made when windows can't be started. You can also do some changes that can't be made when windows is running, because the console is a separate boot routine. Windows is not running.

Having the console installed is becoming a increasing nesseccity these days as there are new boot sector virus that will make a computer unbootable. The only way to correct the changes is throught the console. OEMs do not come with the console on their disks, only retail versions do.

Once installed, it gives you another boot options besides safe mode, safe mode with networking, etc.

We've got one more to get rid of then we can start.

In avenger remove this

Quote
Folders to delete::
C:\TEMP\tn3
Title: Re: PowerKord 's vundo
Post by: oldman on January 21, 2008, 06:41:24 PM
A little more time to write a clearer answer, I tried to catch you on line with the last one.

For what the recovery console is see this link

http://support.microsoft.com/kb/314058

And for the improtance of having it installed and what prompted the author of combofix to add not only the ability to detect if the recovery console was installed, but to install it.

http://forum.avast.com/index.php?topic=32559.0
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 21, 2008, 10:39:14 PM
Ok, a potential complication.

While surfing last night Avast detected an incoming virus. I selected Abort Connection.

Then I set the program to scan my hard drive and I went to bed. Upon waking I find that it, while still not done scannning, has detected several things. First, a file that is apparently associated with Avenger. But also, a few files in the QooBox quarantine, with a path something like c/qoobox/c/program files/...

I've attached a screen cap of one of the warnings.

I've already performed the Avenger deletion (results below), and I'm beginning a new complete Avast scan.

Should I wait until the scan is done, or proceed with your next step?

Also, re the Avenger code you gave me, it would not work until I deleted one of the two sets of colons you had on line 1. Correct?

Please advise, oldman. Thanks.

PS. Is there some kind of partial reformat I could do, that would wipe out all these virii, yet not require me to reinstall my apps?



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jmdkhymc

*******************

Script file located at: \??\C:\WINDOWS\System32\kmsvqoxs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\TEMP\tn3 deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
Title: Re: PowerKord 's vundo
Post by: oldman on January 21, 2008, 10:50:51 PM
Hi PowerKord.

Quote
PS. Is there some kind of partial reformat I could do, that would wipe out all these virii, yet not require me to reinstall my apps?

No, sorry.


The avast warning you got was from the webshield, it stopped it before it got in. The others are in combofix quaratine (qoobox)

Avenger, yes right thing, I'm used to writting combofix script.

Let's see if we can put an end to this. If avast is almost done , let it complete, if it's got a long  ways to go stop it and procede.

Here's the instructions for the recovery console install. I have requested another forum member to keep an eye on this thread, just in case I'm not here when you are.


Go to Microsoft's website => http://support.microsoft.com/kb/310994 (http://"http://support.microsoft.com/kb/310994")
Select the download that's appropriate for your Operating System.


(http://img.photobucket.com/albums/v666/sUBs/KB310994.gif)


Download the file  & save it as it's originally named, next to ComboFix.exe.



(http://img.photobucket.com/albums/v666/sUBs/rc1.gif)


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 21, 2008, 11:38:52 PM
Firstly, yes, it may have been stupid to keep surfing while my system has active viruses, but I can tell you I was not surfing the kinds of sites that tend to cause these infections.

Second, I'm going to do one last full scan of my hard drive before embarking upon the console step. I'd just feel better.

Third, you really seem to know what you're doing, oldman, so if there's any way you personally can continue assisting me, I'd really appreciate it.

ok, talk soon.
Title: Re: PowerKord 's vundo
Post by: oldman on January 22, 2008, 04:42:30 AM
You don't have to be visiting those sites to get infected, a lot of this crud is just floating around looking for a system to land in. It happens.

I didn' plan on deserting you, just wanted to keep this process moving. The other forum member I mentioned is essexboy. You would have been in very good hands.  ;D

So let's carry on.
Title: Re: PowerKord 's vundo
Post by: oldman on January 22, 2008, 07:57:32 AM
PowerKord please check your messages at the top of the page.  :)
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 22, 2008, 10:53:29 AM
Hello, Essexboy,

Oldman has apprised me that you are quite the technical Master, and that you'll be assisting me in resolving the balance of my virus problems. Thanks so very much, in advance!

I presume that in assisting me you will first review our existing thread. In doing so you will find that the last step advised by oldman was to install the windows console; however, I wanted to first run a full Avast scan, which I have now done.

The scan finished; it scanned my C drive and my external hard drive, E.

The results:

1. The scan has apparently found eight new instances of the TratBHO virus, all located somewhere in "System Volume Information." See attached Snap1.

2. The scan has listed many, many instances, more than I've ever seen before in an Avast scan, of files of which Avast asserts:  "Unable to scan: archive is password protected." See attached Snap2 for a screen cap of a few of them.

Is this a tactic some malware or virii uses--conceal itself in a fake password-protected archive, so a virus scanner can't scan it?

3. At the top of Snap2 is a file listed in the Avenger folder, which I assume is alright.

Please examine the two attached screen snaps and advise!

(Snap2 is in a subsequent post.)

Regards,

vince
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 22, 2008, 10:55:01 AM
SCREEN SNAP #2
Title: Re: PowerKord 's vundo
Post by: essexboy on January 22, 2008, 07:38:32 PM
OK on the case now - just reviewing the thread to see where we are

Title: Re: PowerKord 's vundo
Post by: essexboy on January 22, 2008, 07:47:22 PM
OK I will now ask you to run a programme which will do a deep analysis of services and drivers.  However, because of the format I will need you to e-mail the zip file to me.  I will PM the address on completion of this post. 

Firstly I will need you to clean the system restore

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a new restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done
 
We will now do a deep search of your processes and files

Download avz4.zip from here (http://z-oleg.com/avz4.zip)
Note: If you recieve an error message, chose a different source, then click Start again


.
When restarted
.
.
Mail both zip files to me
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 23, 2008, 10:39:10 PM
Assuming that the Clean procedure is really necessary and I should still perform it:

1. How long could the procedure take? I had thing running for probably two hours and it just sat there. How long could the process take? Should I just leave it running overnight? Could it really take that long? At what point, eight hours, twelve hours, whatever, should I assume that the thing is actually not running properly?

2. Is it advisable not to use the computer while the cleanup is running?

Just so I know what to expect.

Thanks.
Title: Re: PowerKord 's vundo
Post by: essexboy on January 23, 2008, 10:44:45 PM
If you have never run it before and depending on the size of the drive it can take upwards of an hour.  Any longer than that and I would consider cancelling it.. 

But the main one to get is the AVZ scan and report as that will enable me to find the driver/service that is causing the problem and then Kill it

The fix will be posted on the forum but unfortunately you cannot attach zip or html files  here so they will need to be mailed to me or hosted on line so that I can download them for analysis

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 23, 2008, 11:34:15 PM
The thing was running well over an hour so I'm just gonna do the AVZ thing.
Title: Re: PowerKord 's vundo
Post by: essexboy on January 23, 2008, 11:35:24 PM
OK waiting whenever you are ready  ;D
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 24, 2008, 03:00:23 AM
I don't get it, EB:

Why are these virii so easy to catch at adult sites? Is it the adult webmasters who do this, deliberately? And if so--why?

And do these people honestly think that I would even dream of clicking one of the links that appear in one of these unwanted popup windows?

Your thoughts?

Title: Re: PowerKord 's vundo
Post by: essexboy on January 24, 2008, 09:34:06 PM
Quote
Why are these virii so easy to catch at adult sites? Is it the adult webmasters who do this, deliberately? And if so--why?

And do these people honestly think that I would even dream of clicking one of the links that appear in one of these unwanted popup windows?
These are drive by downloads and are generally incorporated within the web page whether maliciously or not I don't know.. And there is allways someone who will click on demand

AVZ FIX

Code: [Select]
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{c95fe080-8f5d-11d2-a20b-00aa003c157a}');
 DeleteService('nbmkmd');
 StopService('nbmkmd');
 DeleteService('mrxsmbb');
 StopService('mrxsmbb');
 DeleteFile('C:\WINDOWS\System32\drivers\mrxsmbb.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\nbmkmd.SYS');
 DeleteFile('C:\WINDOWS\web\related.htm');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

ON COMPLETION

Attach the zip file to your next post

Title: Re: PowerKord 's vundo
Post by: essexboy on January 25, 2008, 07:54:39 PM
OK we got one but not the other I see you have Avenger

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote
Drivers to unload:
mrxsmbb

Files to delete:
C:\WINDOWS\System32\drivers\mrxsmbb.sys

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.4. The Avenger will automatically do the following:5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log   by using Add/Reply
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 26, 2008, 12:37:21 AM
Can I use my existing copy of Avenger?
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 26, 2008, 03:43:37 AM
I unzipped the Avenger .zip folder and created a new instance of the program, as the contents of the previously unzipped folder seem to have disappeared.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wrhnfhqi

*******************

Script file located at: \??\C:\Program Files\ltilccqr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver mrxsmbb unloaded successfully.
File C:\WINDOWS\System32\drivers\mrxsmbb.sys deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:20 PM, on 1/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 4565 bytes
Title: Re: PowerKord 's vundo
Post by: essexboy on January 26, 2008, 01:21:36 PM
How is your system running now ?
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 26, 2008, 09:31:40 PM
So far those popup windows are no longer appearing. I will continue monitoring.

I've also experienced other strange things though, like my physical volume buttons no longer work.

Your thoughts on this?
Title: Re: PowerKord 's vundo
Post by: essexboy on January 27, 2008, 12:26:57 AM
Quote
like my physical volume buttons no longer work
Do you mean the button on your speakers or the one on the systray ?
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 27, 2008, 04:30:20 AM
Pressing the buttons on my laptop itself used to control the system volume, and would bring up an onscreen bar graph to indicate volume level. Neither of those things happens anymore when I press a button.

Apparently the virus affected certain system operations?
Title: Re: PowerKord 's vundo
Post by: essexboy on January 27, 2008, 04:26:36 PM
The controlling software was probably compromised by Vundo and no backup was found on your system to replace it.  It may require a driver reinstallation for your keyboard functions
Title: MOP-UP QUESTIONS
Post by: PowerKord on January 27, 2008, 11:39:54 PM
Essexboy,

Ok, so far, so good! I'm still not seeing any symptoms!

You and oldman utterly rock! I can't tell you how thankful and grateful I am!

I have a number of "mop-up" questions if you don't mind; as you'll see some are more important than others. Some are *very* important (like what will now happen to the virus files presently under quarantine on my system). If you'd be so kind, please answer each one in order. Thanks so very much for your time and effort, then and now!


1. Do you and oldman work for Avast? Are you both programmers? I'm not sure about oldman but I get the impression that you are a programmer.


2. Some of the scans I've done since this problem started have apparently flagged certain files associated with HyperSnap Pro, a screen capture utility that I run. To your knowledge, are HyperSnap products associated with installing malware?


3. As posed by me in this thread in Reply #55 and #56, January 22, page 4 of this thread. I had just done an Avast scan. Again, this is a few days old, before you got involved with this:

"The scan finished; it scanned my C drive and my external hard drive, E.

The results:

A. The scan has apparently found eight new instances of the TratBHO virus, all located somewhere in "System Volume Information." See attached Snap1.

B. The scan has listed many, many instances, more than I've ever seen before in an Avast scan, of files of which Avast asserts:  "Unable to scan: archive is password protected." See attached Snap2 for a screen cap of a few of them.

Is this a tactic some malware or virii uses--conceal itself in a fake password-protected archive, so a virus scanner can't scan it?"

Both those replies, 55 and 56, contains screencaps of both problems I describe here.


4. I do not use any P2P client, whether for music file sharing, or chatting (AIM, Yahoo Messenger, etc.), though I have in the past. I have de-installed my AIM and Yahoo chat clients (though I'm pretty sure these de-installs don't remove every single file). Is it still necessary to run the P2P and Instant Messaging modules of Avast when running Avast?


5. So as far as you can tell, what is the actual upshot of all this--is every virus now gone from my system?


6. And exactly which viruses were on my system? I heard TratBHO, Vundo, and cutwail, and then there were what appeared as new instances of TratBHO in my System Volume Information (see above).


7. What exactly was this mrxsmbb.sys file? Was it a trojan containing a/the virus?


8. Avast has detected virii before, on, or trying to enter, my system, but has always deleted them immediately and successfully. Why was this virus/viruses so hard to get rid of? Is TratBHO or Vundo some tough new strain?


9. In solving all this, it wasn't a problem that I wasn't able to do the Cleanup, or the restore point procedure you wanted done initially?


10. Re my volume malfunction as described ("controlling software was probably compromised by Vundo"), and any other system changes that the virii created: I'll probably have to call IBM or Microsoft to help me reinstall things and make corrections, but until I do is it likely that these malfunctions and compromised system areas are virus-free and won't cause any other virus-related problems? In other words, can wait to restore these areas, or should I do it right away?


11. Maybe I should do it right away to prevent compromised software from causing corruption, etc., even apart from any virus issue?


10a. Apparently my Cleanmgr.exe is not working right, either, right? Running it, it does nothing but just sits there for hours, as I think I already mentioned to you. Could this be another result of my infections?


12. Does it appear that Ardamax keylogger lite is completely off my system? A previous scan, either HJT OR CF I think, detected it running (see ardamax listing in HJT scan Jan 11, reply #6).


13. Relatedly, EB, can you recommend a well-programmed, malware-free, simple to use keylogger to be used only by me to retrieve my own work in case of crashes and problems (not to spy on anyone else)? I don't need any actual spy or stealth features.


14. It appears that one of the functions of AVZ and/or SUPERAntiSpyware (not sure which) is a standard spyware scan and removal, like SpyBot S&D does. Should I use either of these two programs instead of SpyBot for this? Is one or the other, or something else you'd recommend, better than SpyBot?


15. And what about this nakido.exe file that apparently keeps putting itself back on my system? oldman tells me it's a legitimate file, but I never installed it. In fact, when a scan revealed its presence I deleted it, but it apparently returned on its own. Is this file/program as innocent as it seems? And how does it keep returning to my system? I'm not sure if it's on now, or not.


16. It appears that some of the programs I've installed as part of this removal effort, such as  ComboFix (qoobox) and Avenger, presently have virii quarantined. What should I do with these quarantined viruses? If I simply de-install these programs will the viruses they've quarantined be properly destroyed?

The removal programs presently installed on my system are these:

- Cleanup
- HiJackThis
- SUPERAntiSpyware


17. I'm now pretty afraid of visiting any adult, or even celebrity website, for fear of catching another virus! I used to feel very protected by Avast--until now. Your thoughts?


17a. Relatedly, in terms of catching a virus from a web page, you wrote: "there is allways someone who will click on demand." What do you mean by this?


18. Relatedly, EB, I've been using Avast Home version. Would the pro/paid version of Avast have prevented these infections?


19. oldman had me use RegistrySearch, I believe. Is my registry now ok?


20. oldman was pretty convinced that the Windows Recovery Console would be needed to solve my problems, but you solved them without using it, right? How did you do it w/out the Recovery Console?


I await your responses to these questions. Again, thanks so much!

Warm Regards,

vince
Title: Re: PowerKord 's vundo
Post by: essexboy on January 28, 2008, 12:33:57 AM
Here we go :

1.  No
2.  No but it does use some of the same techniques as a key logger
3.  System volume information will be cleared when we do the housekeeping at the end.  Currently I know of no Malware that password protects
4.  If you do not use them, then no
5.  From the scans I have done yes, but as with all things in this world there is never a 100% sure answer
6.  Malware names vary by different AV/AS vendors ther is no straightforward naming convention
7.  That was the main driver file that generated the popups and protected the malware
8.  Antivirus programmers can only react to new malware, so they bad guys will allways start from the front
9.  That was probably because you had never used that function before, therefore there were a lot of files that needed compressing
10. The infections should now be gone, so you can wait
11.  Maybe a sfc / scannow would not come amiss
12.  If any is left it is now unuseable
13.  I have no knowledge of keyloggers apart from the bad ones
14.  Spybot is too old now, I would recommend Superantispyware
15.  That was the file taken out by AVZ
16.  All part of housekeeping
17.  Those sites are the prime target for hackers to insert malicious code.  See a box and click no, but guess what both boxes mean yes allways close by the x
18.  Home and Pro have the same capabilities with regard to virus protection
19.  As good as we can make it
20.  Recovery console was an option, but AVZ gave me the driver name to use with Avenger


Now the best part of the day ----- Your log now appears clean  :thumbsup:

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself



Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place? (http://forums.spywareinfo.com/index.php?showtopic=60955)


Keep safe  :wave:
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 28, 2008, 01:24:37 AM
Hi,

Thanks for your answers.

But, regarding housekeeping--

1. What is OTMoveIt?

2. You state that the tool "..will delete all the tools you have downloaded plus itself." You mean it will actually properly de-install HJT, SAS, Cleanup, etc? Isn't it more reliable to do that from Windows Add/Remove? Though, if I do it from Windows, do the quarantined viruses get properly destroyed, or might they end up somewhere vulnerable or migrate themselves somewhere?

3. Also, what if I want to keep, say, SAS on my system?

4. Importantly--you state "to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good."

But, EB, I did not have System Restore enabled on my system. I decided not to use it because, knowing how glitchy computers can be, I wanted my system to run as simply as possible, to have as few processes to operate and manage as possible.

Your thoughts? Is it still necessary to re-set my restore point? I don't have any, right?

5. Relatedly, you further state: "You now have a clean restore point, to get rid of the bad ones:"

Regarding restore points, if System Restore was not enabled on my system, which it was not, do I have "bad ones"?


And, more generally--

1. Do SUPERantispyware, and SpywareBlaster do the same thing? You seem to recommend them both.

2. Can you please clarify answer #11?

3. I tend not to use Windows Update because in my years computing I've too many times experienced "updated" software of one type or another that was worse in one or more respects than that which it "updated." Also, I notice that when updating--I've had this happen with Word which always resets my toolbars when I update--software updates sometimes reset toolbar settings or other custom prefs that were set. Then comes a real pita to reset everything.

Your thoughts?

Thanks!

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 28, 2008, 02:59:53 AM
Hi PowerKord

It seems you got it.

OTMOVEIT is a removal tool that can also be used to clean up/remove the other tools that where used along with there quarantined files. SAS and cleanup will not be affected. Just a note, when you empty the SAS quarantine, avast may detect the files then, it's normal. If you check the warning log, you will find that the "password protected" files are in fact SAS or another security program's quarantined or signature files. Again normal

System restore is system volume information. You had some avast detections there, so it was obviously turned on. Your choice of turning it off and leaving it off. But, if you don't have a disk imaging program like True Image, Norton Ghost, Goback, etc, you don't really have anything to fall back on in case of major problems.

Recovery console was my preference for going after the file, but AVZ did the trick. Everyone has a method.

The only way to really know what mrxsmbb.sys was, is to submit the Avenger zip to virustotal, if mrxsmbb.sys is the only file in it, and see what it comes back as. You can do this if you want, and you haven't all ready done the clean up routine essexboy gave you.

You can download OTMOVEIT2 from here and use it as essexboy suggested.

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe


Service pack 2 is far more secure than service pack 1
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 28, 2008, 05:19:19 AM
Hello, oldman,

So nice to see you back!

(Wait--are you back?)

I had a last "mopup" email for EB (Reply #75) based on his previous instruction and remarks; can you please ask him to come back here to respond to it? It's the one you just responded to, but I'd really like his responses, since some of my questions pertain explicitly to things he said, or instructions he gave.

Please have him respond to this, too:

EB:

1. >>>Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded

I was not prompted to connect to the 'Net; only to reboot. Also, there was no .txt file downloaded to my knowledge.

2. After running OTMoveIt2, I notice that HJT, SAS, and Cleanup are all still listed in Add/Remove Programs. Weren't they supposed to be deleted? Should I delete them now from there? Are these programs actually already gone even though still listed?

Thanks.

vince
Title: Re: PowerKord 's vundo
Post by: essexboy on January 28, 2008, 10:08:53 AM
HJT, SAS, and Cleanup are NOT removed by OTMoveit

I was not prompted to connect to the 'Net; only to reboot. Also, there was no .txt file downloaded to my knowledge.  If you just downloaded it it had the upto date data
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 28, 2008, 11:17:22 AM
Thanks, EB; I certainly don't want to keep you any longer than absolutely necessary, but if you could just respond to what are very likely my last few questions in Reply #75, as I had requested, above, I'd be very appreciative, as I am already, of course.

Then we can bring my problems and your assistance with same to a nice, neat conclusion, where I feel not just that my problem was solved, but that I have a proper understanding of how to proceed from here.

Thanks so much.

vince
Title: Re: PowerKord 's vundo
Post by: essexboy on January 28, 2008, 08:47:54 PM
1. What is OTMoveIt? A low level file deletion programme that will also tidy up when it is time for it to go

3. Also, what if I want to keep, say, SAS on my system? I would recommend that

1. Do SUPERantispyware, and SpywareBlaster do the same thing? You seem to recommend them both. No SpywareBlaster places a kill bit in the registry so that BHO's and CLSID's cannot be installed by malware, it is completely passive and never runs except when you update it.  Superantispyware searches for and deletes known malware resident in your system and is run on demand 

2. Can you please clarify answer #11? There is a possibilty that one of your rarely used system files may have been corrupted by the malware.  SFC ?scannow will check your system files integrity
Quote
From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.


Title: Re: PowerKord 's vundo
Post by: PowerKord on January 28, 2008, 10:19:36 PM
Hello, EB/oldman,

1. I was away from my computer when scannow finished. When I returned there was no "scan complete" window or any other kind of window or scan-related screen object present onscreen. Is this what happens when the scan terminates, it displays nothing onscreen?

If yes, does that mean it found and fixed something, or that it found no problems?

2. OTMoveIt did not delete AVZ. Are there any files in the AVZ quarantine folder? If so, will deleting AVZ safely delete anything in the quarantine? Or is anything in there definitely already disabled?

3. I notice that SUPERAntiSpyware has its own module for malware interception. I assume, however, that SpywareBlaster does it better?

4. EB, per your recommendation, I installed and am presently running a 3rd-party firewall, Comodo Pro Firewall v2.4 (3.0 apparently requires XP SP2, which I don't have yet.) Should I disable Windows firewall, or also leave it running? Actually, I already disabled it.

5. Upon launching SeaMonkey, or perhaps just a new SeaMonkey tab, Comodo Pro firewall reports some kind of connection between Word and SeaMonkey, suggesting that Word is or may be using SeaMonkey for something, through an OLE mechanism. Why would Word use SeaMonkey?

6. I left SAS on my system, and removed Spybot S&D (after making a $ contribution for the times I've used it).

7. EB, you said if disk cleanup runs more than an hour I should kill it. But you also said it's probably running so long because I have many files and have never run it before. So should I try running it again, and not kill it, even if I see it's taking hours and hours, and appears to be doing nothing, including no apparent hard drive activity? That's what it was doing before.

8. Is my version of Windows XP Pro 32 bit or 64 bit? I ran Windows system information but it did not mention this.

Thanks!

Warm Regards,

vince



Title: Re: PowerKord 's vundo
Post by: polonus on January 28, 2008, 10:35:02 PM
Hi PowerKord,

Well if you scan with Kaspersky's online scanner you get all your system info and the version of the Service Pack 2 you have on it (I hope), also absolutely vital for your security in relation to vundo infections is to have the most  recent Sun Java version, and to delete any older versions on your comp (because that is somehow not being done automatically, and the malware always go for the older version(s) with the exploitable code in it, you see!).
If you are using IE7 try to use freefixer from here: http://www.freefixer.com/download.html
With this tool you can do more or less the same as HijackThis, but if you want to fix something with it, try to get advice from us first, we will be glad to look into it,

polonus


Title: Re: PowerKord 's vundo
Post by: PowerKord on January 28, 2008, 10:45:47 PM
Hi, Polonus,

Thanks so much for the info!

Is Kaspersky online scanner better than Avast Home Version on my PC, in your view?

I ordered SP2 on disk.

How do I update my Sun Java version?

And how do I delete older versions?

Thanks again!

Best,

vince
Title: Re: PowerKord 's vundo
Post by: polonus on January 28, 2008, 11:09:13 PM
Hi vince,

Get your newest Sun Java version and download here: http://javadl.sun.com/webapps/download/AutoDL?BundleId=12797

Go to start and configuration screen Software Alter or Delete Programs and delete older version of Java (TM)
there.

Leave Avast Home on your computer it is a resident scanner, and you only need one resident scanner.
The Kaspersky scanner is an online non-resident scanner that can run from IE, and can be used safely next to Avast on your computer.

SP2 can also be get online: http://go.microsoft.com/?linkid=3646727

That's it,

polonus a.k.a. Damian
Title: Re: PowerKord 's vundo
Post by: 1975maggie on January 28, 2008, 11:33:04 PM
Hi Vince

Part of oldman's usual clean up spiel for your java

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.


Hope it helps!

For AVZ just delete the entire AVZ folder from C:\ and you windows would be 32 bit


Title: Re: PowerKord 's vundo
Post by: PowerKord on January 29, 2008, 01:36:12 AM
Thanks, Polonus, and Maggie,

I may require a clarification of some things, but for now let me just ask:

I installed "Home Keylogger" a few minutes ago to record my info in case of a crash, as a backup. Guess what--after installing, Avast detected two trojans, Win32:trojan-gen, and another one.

How come SpywareBlaster, which is installed, didn't utter a peep? Is it because these were viruses and not malware? But for that matter SB didn't make a sound, either, when I downloaded and installed the keylogger (Avast did). How come?

Your thoughts?

Best,

vince

PS. Both of these infections now appear gone (are they?).
Title: Re: PowerKord 's vundo
Post by: 1975maggie on January 29, 2008, 01:42:44 AM
Hey Vince

The problem with keyloggers is they can be used for good and evil, so an av detection is not definative.

I'd suggest submitting the detected file to virustotal and see what other av have to say.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 29, 2008, 01:56:47 AM
essexboy! oldman!

Am I infected again?

Please see attached file resulting from a partial Avast scan, and read above posting re keylogger!

Thanks for your suggestion Maggie. These guys have been helping me, so maybe they'll take a look at this, too. I understand that oldman is quite knowledgable, and essexboy is a real tech master!

Warm Regards,

vince
Title: Re: PowerKord 's vundo
Post by: oldman on January 29, 2008, 02:08:47 AM
Hi Vince

Most of the detections are tools. Like 1975maggie mentioned, keylogger detections can be confusing. They can be used for good and evil. Follow her suggestion and submit the file(s) for analysis. I think anything that is detected as "tool" is OK. The others are probably ok also, just that they are associated with a keylogger program.

BTW 1975maggie just called my attention to this concern of yours.

Essexboy may have a different view.

Take care.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 29, 2008, 02:40:11 AM
Well take a look at my capture--at least one of those detections listed is a bona fide virus: Win32:trojan-gen.

BTW, my system just rebooted for some reason.

I'm scanning again now with Avast. I was going to try the Kaspersky online scanner, but you have to enable ActiveX to do it!

After Avast detected those for the first time, I moved them to the chest, but I think it detected them again after that. This new scan will confirm that, or not. The listings in my capture aren't Avast detecting viruses in its own chest, right?

This is unbelievable. F*cking Home Keylogger!

----------------------

I tried to do a system restore, to move back to before I acquired this latest virus. But the restore failed!

Now, the space on my C drive is essentiallly gone!

Before I tried the Restore I ran cleanup, since Avast detected one or more instances of a virus in one or more temp files.

What is going on here, and what do I do? Below is a new HJT log.

HELP!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:40 AM, on 1/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
E:\Files That Change Infrequently\Software Backups\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201498085982
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 5295 bytes
Title: Re: PowerKord 's vundo
Post by: 1975maggie on January 29, 2008, 06:50:10 AM
Hi

One thing to remember about system restore, is that it is not a drive image. It is only a protion of the registry and files. SR may or may not change the things you are trying to change.

Did you try submitting any of the files avast detected to virustotal? Just because avast says they are infected, doesn't mean they are. Especially in the case of a keylogger. Looking at the avast log only says what avast detects it as. Other avs probably have a different name, if they even detect it.

Because of the below, some avs don't detect commercial keyloggers.

Keyloggers are usually detected as tools and because of the stealth methods they use. Afterall that is their purpose. As mentioned they can be used for good or evil. A legitamate keylogger is different from a trojan that has keylogging ability, though their operating methods are the same.

My suggestion is extract one or more files from the avast chest to a temp location and submit them and see what other avs detect. You may find either no detection or a tool detection.

If it turns out to be a truely infected file, then at least you will know what it is.

Nothing in the log jumps out, except old java.

 Kaspersky , go ahead and do it, you can reset the active x after you do the scan and befor you leave their site.

Title: Re: PowerKord 's vundo
Post by: PowerKord on January 29, 2008, 07:47:58 AM
Maggie, Hi,

...a temp location like where?

Would a folder on my desktop do it?

Thx.

vince
Title: Re: PowerKord 's vundo
Post by: 1975maggie on January 29, 2008, 07:56:37 AM
Yes, just create a folder on your desktop, easy to find and remember.  :)

Use right click, extract when you move the file(s)
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 29, 2008, 09:02:08 AM
Maggies, after uploading the files, how do I safely delete them from the folder I just created?

VT seems conflicted about these two files. Some scanners flag them as malware and high-risk; others do not.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 29, 2008, 09:11:46 AM
Ok, the plot is thickening considerably; Avast just detected Win32:Agent-PSG.

And SuperAntiSpyware has detected, so far, three trojans (including a Vundo), a rootkit, and 224 adware cookies.

essexboy? oldman? essexboy? oldman?

HELP !!!

(Don't get me wrong, Maggie, I very much appreciate your help, as well.)
Title: Re: PowerKord 's vundo
Post by: polonus on January 29, 2008, 12:32:18 PM
Hi PowerKord,

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

polonus
Title: Re: PowerKord 's vundo
Post by: essexboy on January 29, 2008, 09:15:11 PM
There was nothing apparent in your log, and as previously stated a keylogger can be good or bad there is no way of knowing for sure from an AV's point of view.  As for the rootkit that may be related to your keylogger as they work at low level so as to be undetectable.  The Vundo files/registry entries, this is dependant on the location,,, are they orphan registry entries/files.  Cookies you will allways get when you connect to the internet, you cannot avoid them..    Win32:Agent-PSG. this is a keylogger, the one you downloaded ?
Title: Re: PowerKord 's vundo
Post by: essexboy on January 29, 2008, 09:17:28 PM
Ooops forgot..  Spywareblaster is passive it just prevents certain registry entries being made, it has no warning or alert facility
Title: Re: PowerKord 's vundo
Post by: polonus on January 29, 2008, 09:26:24 PM
Hi essexboy,

Let the man download Keyscrambler from here: http://www.qfxsoftware.com/Download.htm and install it.
Whatever he has there or not, keyscrambler will prevent his keystrokes to be watched by a third party or in a browser. Never had any trouble using it,

polonus
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 29, 2008, 09:27:29 PM
ESSEXBOY

(polonus, see below)

hi. thanks.

THe two files avast flagged are:

win32:trojan-gen
win32:agent-iy

arent these actual virii? the first def seems to be, from what i read.

then later, sas flagged the rootkit, psg, etc. four in all. i removed them all anyway.

i thought a system restore would help. but windows reported that the restore failed, and right after that my C drive was devoid of all memory. about 1.5 gig has coem back after running that 3rd party cleanup,  but i thought i had more mem initially on C.

How did the failed restore cause the memory loss, and how can i get it all back?

ive had windows cleanup running now for like, maybe 8 or 10 hours. it just sits there saying calculating, scanning to compress old files. is this thing working? maybe it is but taking so long bec my drive is 18 gb full?

i ran that 3rd party cleanup and it cleared a bunch of files. i deleted ie temp files and cookies.  i also now have comodo firewall running.

i then tried to install 007 keylogger, no reports on download.com of malware in it, but the install was missing a file and failed. now i cant launch the program and thus cant deinstall it. it's not listedin add/remove.

and in all, my system operation has slowed to a crawl.

wtf is going on here? my system was perfect after your help but has now utterly imploded!

POLONUS--

ok, downloading cf

bad time for all this as i need my pc to do medical research for  my dads surgery, 80 yo, tomorrow.
Title: Re: PowerKord 's vundo
Post by: polonus on January 29, 2008, 09:34:54 PM
Hi Powerkord,

Also test what is on your box with this proggie, kldetector!
http://dewasoft.com/privacy/kldetector.htm

cheers,

polonus
Title: Re: PowerKord 's vundo
Post by: polonus on January 29, 2008, 09:40:37 PM
Hi PowerKord,

007 keylogger is SPYWARE. Get rid of it in the way described below, and follow the instructions to the dot or print them out and put them beside your box to do this meticulously as described, http://www.spywareremove.com/remove007SpySoftware.html (Only use the instructions from this page, do not download anything from there!).

polonus
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 30, 2008, 02:51:13 AM
Hi, polonus,

I should probably make clear that I installed 007 deliberately, as I'm trying--in vain apparently--to find a small, well-designed, safe, keylogger for text backup in case of crashes. Do you know of one?

I'm going to remove 007, but when you say it's spyware, do you mean it installs malware or something on my system? I know its purpose is to spy on people; I was just trying it because it also happens to have a keylogger function, as I want, and none of the download.com reviewes indicated spyware or malware.

Rather than go through the elaborate removal instructions, what if I just email them, tell them the problem, and see if they have a way for me to remove the program, then I can just do further HJT/CF scans or whatever afterward to see if there are any remnants left.

And yes, this does assume that they'll tell me truth, *and* did not deposit any malware on my system.

Back soon after I run CF, at least.

BTW, I just don't get it. The company that publishes 007 seems completely legit, they charge $40 for the product--isn't that the way they make money? Why would they endanger the reputation of their product by hiding malware in it, assuming they are?

vince
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 30, 2008, 04:26:58 AM
ComboFix 08-01-30.1 - Vincent Christopher 2008-01-29 22:04:01.7 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.135 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-30  )))))))))))))))))))))))))))))))
.

2008-01-28 21:56 . 2008-01-28 21:56   <DIR>   d--------   C:\Documents and Settings\Vincent Christopher\Application Data\Comodo
2008-01-28 21:55 . 2008-01-28 21:55   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-01-28 15:46 . 2001-08-17 22:36   112,640   --a------   C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-28 15:46 . 2001-08-17 22:37   99,865   --a------   C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-28 15:46 . 2001-08-17 22:37   27,648   --a------   C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-28 15:46 . 2001-08-17 22:36   23,040   --a------   C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-28 15:46 . 2001-08-17 12:49   18,688   --a------   C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-28 15:46 . 2001-08-17 22:36   17,408   --a------   C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-28 15:46 . 2001-08-17 12:11   16,970   --a------   C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-28 15:46 . 2001-08-17 22:37   4,608   --a------   C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-28 15:44 . 2001-08-17 13:28   794,654   --a------   C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-28 15:43 . 2001-08-17 12:18   285,760   --a------   C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-28 15:42 . 2001-08-17 22:36   495,616   --a------   C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-28 15:41 . 2001-08-17 13:28   899,146   --a------   C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-28 15:40 . 2001-08-17 14:05   351,616   --a------   C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-28 15:39 . 2001-08-18 08:00   1,875,968   --a------   C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-28 15:38 . 2001-08-17 13:28   797,500   --a------   C:\WINDOWS\system32\dllcache\ltsmt.sys
2008-01-28 15:37 . 2001-08-18 08:00   1,158,818   --a------   C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-28 15:36 . 2001-08-18 08:00   13,463,552   --a------   C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-28 15:35 . 2001-08-18 08:00   10,096,640   --a------   C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-01-28 15:34 . 2001-08-17 13:28   634,134   --a------   C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-01-28 15:33 . 2001-08-17 12:14   952,007   --a------   C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-28 15:32 . 2001-08-18 08:00   1,677,824   --a------   C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-28 15:31 . 2001-08-17 13:28   871,388   --a------   C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-28 15:30 . 2001-08-17 13:28   762,780   --a------   C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-28 15:29 . 2001-08-17 14:56   66,048   --a------   C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-28 14:13 . 2008-01-28 21:56   <DIR>   d--------   C:\Program Files\SpywareBlaster
2008-01-28 04:52 . 2008-01-28 04:52   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Comodo
2008-01-28 04:48 . 2008-01-28 04:48   <DIR>   d--------   C:\Program Files\Comodo
2008-01-28 01:45 . 2005-02-24 22:35   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2008-01-28 01:44 . 2008-01-28 01:44   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-01-28 01:15 . 2004-07-01 17:08   331,776   --a------   C:\WINDOWS\system32\winhttp.dll
2008-01-28 01:15 . 2004-07-01 17:08   331,776   --a------   C:\WINDOWS\system32\dllcache\winhttp.dll
2008-01-28 01:15 . 2004-06-30 18:59   158,720   ---------   C:\WINDOWS\system32\xpob2res.dll
2008-01-28 01:15 . 2004-07-01 17:08   17,408   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2008-01-28 01:15 . 2004-07-01 17:08   17,408   --a------   C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,680   ---------   C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,680   ---------   C:\WINDOWS\system32\bitsprx2.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,168   ---------   C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,168   ---------   C:\WINDOWS\system32\bitsprx3.dll
2008-01-28 00:33 . 2007-07-30 19:19   549,720   --a------   C:\WINDOWS\system32\wuapi.dll
2008-01-28 00:33 . 2007-07-30 19:19   325,976   --a------   C:\WINDOWS\system32\wucltui.dll
2008-01-28 00:33 . 2007-07-30 19:19   216,408   --a------   C:\WINDOWS\system32\wuaucpl.cpl
2008-01-28 00:33 . 2007-07-30 19:19   43,352   --a------   C:\WINDOWS\system32\wups2.dll
2008-01-28 00:33 . 2007-07-30 19:18   34,136   --a------   C:\WINDOWS\system32\wucltui.dll.mui
2008-01-28 00:33 . 2007-07-30 19:18   33,624   --a------   C:\WINDOWS\system32\wups.dll
2008-01-28 00:33 . 2007-07-30 19:19   25,944   --a------   C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-28 00:33 . 2007-07-30 19:19   25,944   --a------   C:\WINDOWS\system32\wuapi.dll.mui
2008-01-28 00:33 . 2007-07-30 19:18   20,312   --a------   C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-18 01:51 . 2008-01-18 01:51   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-18 01:30 . 2008-01-18 01:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 01:29 . 2008-01-29 00:57   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-18 01:29 . 2008-01-18 01:29   <DIR>   d--------   C:\Documents and Settings\Vincent Christopher\Application Data\SUPERAntiSpyware.com
2008-01-18 01:25 . 2008-01-18 01:25   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:56   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 06:11   ---------   d-----w   C:\Program Files\NoteTab Pro
2008-01-12 05:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 30, 2008, 04:27:50 AM

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-01-28 04:48 1115728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29 114688]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08 2266712]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S1 vde4ndg1;AVZ-BC Kernel Driver;C:\WINDOWS\System32\Drivers\vde4ndg1.sys []
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []
S4 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 22:07:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-29 22:11:36
Title: Re: PowerKord 's vundo
Post by: PowerKord on January 30, 2008, 04:28:49 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:44 PM, on 1/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
E:\Files That Change Infrequently\Software Backups\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201498085982
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 5119 bytes

--------------------------------------


Please also see my last post on page 7 of this thread!
Title: Re: PowerKord 's vundo
Post by: polonus on January 30, 2008, 04:46:17 PM
Hi PowerKord,

Fix these two entries in HijackThis, tag and give enter:
X  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing) 
Nasty
Unnecessary (deactivated) entry that can be fixed. The entry Related has been identified as safe.
X  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing) 
Neutral
Unnecessary (deactivated) entry that can be fixed. The entry Show &Related Links has been identified as safe.

polonus
Title: Re: PowerKord 's vundo
Post by: PowerKord on February 01, 2008, 10:18:45 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:31 AM, on 2/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201498085982
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 5090 bytes
Title: Re: PowerKord 's vundo
Post by: polonus on February 01, 2008, 01:23:34 PM
Hi PowerKord,

Nothing out of the ordinairy here,

polonus