Author Topic: PowerKord 's vundo  (Read 53390 times)

0 Members and 1 Guest are viewing this topic.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #15 on: January 12, 2008, 05:45:57 AM »
Hello, oldman,

Ok, I performed the requested drag and drop. The result is below, in this post.

BTW, I'm wondering why Ardamax Keylogger is running. I installed it a long time ago but recall a problem; could it still be hanging around from my own installation. I'd like to uninstall or remove it.

Here is the CF result:

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-11 22:16:30.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.180 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vincent Christopher\Desktop\CFscript.txt
 * Created a new restore point

FILE
C:\TEMP\liHco0109.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-12 to 2008-01-12  )))))))))))))))))))))))))))))))
.

2008-01-11 22:25 . 2008-01-11 22:25   <DIR>   d--------   C:\TEMP\tn3
2008-01-11 22:24 . 2008-01-11 22:24   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-27 06:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 03:15:57   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 03:15:57   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 03:15:59   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 03:15:59   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 01:26:44   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 03:15:59   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 01:26:44   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 03:16:00   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 01:26:58   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 03:16:16   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 03:25:24   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5f4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 22:26:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-11 22:31:37 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-12 03:31:30
ComboFix2.txt  2008-01-11 23:49:35
ComboFix3.txt  2008-01-11 03:27:31
ComboFix4.txt  2008-01-11 01:42:07

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #16 on: January 12, 2008, 05:53:21 AM »
Hi PowerKord

How's it going? I was just replying to you regarding the avast icon and saw your post.

I don't know why the keylogger is running, go ahead and uninstall it if you wish.

I can not find the missing file C:\WINDOWS\System32\DRIVERS\MADFU804.sys in the removed files. However ashdisp was there as infected. I fear you may have also been hit with a nasty vundo variant, which attacks exe. Generally, combofic can repair them. If not, a section will appear in the logs and they can be repaired on the next run with the proper command.

Since you ran combofix twice before I saw the log, that option may be gone. But we can try before we search for smitfraud.





Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
RENV::
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C\WINDOWS\system32\ctfmon .exe
C\Program Files\Alwil Software\Avast4\ashDisp.exe



This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.


A little info on the files, remember only the exe was removed not the entire folder, so if you can, you could restore just the exe to he path shown and the program should work

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

related to thinkpad, you might be able to recover it from a disk,
C\WINDOWS\system32\ctfmon .exe

MS office xp language bar, only important if you use it, again get the exe from the disk.

C\Program Files\Alwil Software\Avast4\ashDisp.exe

avast icon, a repair of avast should replace it,,,add/remove programs, uninstall, scroll down to repair

Your choice of doing the comboscript and hoping the info is still there or just replacing the files. Let me know what you are going to do.





« Last Edit: January 12, 2008, 06:46:26 AM by oldman »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #17 on: January 12, 2008, 06:12:43 AM »
Hey, I should have added the other exe where repaired, so don't worry about them.  ;D

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #18 on: January 12, 2008, 07:52:05 AM »
I waited for you to reply in regards to your choice in trying to restore the 3 exe files. As I mentioned, they are easily restore by other means.

The vundo for the most part is gone. The one service may or may not be vundo. We may as well do a search for smitfraud, the service could be related. We'll see when you post your results.

Please do the following before proceding. You can post all 3 at the same time.

@echo off
dir "C:\WINDOWS\system32\vt8" >> look.txt
start look.txt


save it to your desktop, name it look.bat, and set the file type as all files  click ok  You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.


@echo off
dir "C:\WINDOWS\system32\edcA01" >> look1.txt
start look1.txt


save it to your desktop, name it look1.bat, and set the file type as all files  click ok  You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Please download SmitfraudFix (by S!Ri) to your Desktop.
Download this ptool from: http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply as an attachment. The report can be found at the root of the system drive, usually at C:\rapport.txt

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool";
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user

« Last Edit: January 12, 2008, 08:05:50 AM by oldman »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #19 on: January 12, 2008, 08:47:14 AM »
Here's the CF log after plugging in your latest changes:

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-12  1:10:50.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.170 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vincent Christopher\Desktop\CFscript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-12 to 2008-01-12  )))))))))))))))))))))))))))))))
.

2008-01-12 01:19 . 2008-01-12 01:19   <DIR>   d--------   C:\TEMP\tn3
2008-01-11 22:24 . 2008-01-12 01:18   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 05:48   ---------   d-----w   C:\Program Files\Yahoo!
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 06:10:41   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 06:10:41   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 06:10:43   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 06:10:43   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 01:26:44   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 06:10:43   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 01:26:44   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 06:10:43   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 01:26:58   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 03:16:16   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2008-01-11 01:36:23   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
+ 2008-01-12 06:19:21   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 01:20:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-12  1:25:22 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-12 06:25:15
ComboFix2.txt  2008-01-12 03:31:37
ComboFix3.txt  2008-01-11 23:49:35
ComboFix4.txt  2008-01-11 03:27:31
ComboFix5.txt  2008-01-11 01:42:07

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #20 on: January 12, 2008, 08:51:16 AM »
Hi, oldman,

You requested:

----------------------
Please do the following before proceding. You can post all 3 at the same time.

@echo off
dir "C:\WINDOWS\system32\vt8" >> look.txt
start look.txt

save it to your desktop, name it look.bat, and set the file type as all files 
----------------------

What exactly should I do with this code? Not clear to me.

Regards,

vince

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #21 on: January 12, 2008, 09:01:42 AM »
Sorry, so much for my canned post.  ???

It should be

Copy and paste into a new notepad the following

@echo off
dir "C:\WINDOWS\system32\vt8" >> look.txt
start look.txt


save it to your desktop, name it look.bat, and set the file type as all files 

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Please do the same with the other. then run smitfraud option 1

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #22 on: January 12, 2008, 11:07:14 PM »
Hi,

I'm again experiencing virus symptoms--popup windows appearing while I'm surfing, perhaps every 20 minutes or so. They seem to center somewhat around setthetrend.com. The windows that appear are only IE windows, I believe, regardless of whatever browser I'm using at the time.

Attached are the three latest requested files.

God I appreciate this help!

Regards,

vince

« Last Edit: January 12, 2008, 11:25:49 PM by PowerKord »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #23 on: January 13, 2008, 02:19:09 AM »
Ok, your smitfraud log was clean.

Do you have an xp disk or do you have the recovery console installed on your computer?

Let's try to disable that service.

Click the Start button, then click Run.  In the empty field type services.msc and click OK.

In the window that opens locate mrxsmbb and double clcik it.  On the General Tab find the section titled Startup Type.  Drop that down and select Disabled.  Click OK

Reboot your computer, navigate to C:\WINDOWS\System32\drivers\mrxsmbb.sys  and rename it the file to mrxsmbb.vir.  Now upload it to Virus Total and let's see what we get.

You may have to show hidden files and folders


At the top of windows explorer, click tools, folder options, click the
view tab

 check Show hidden files and folders
 uncheck "Hide extensions for known file types" box
 uncheck "Hide protecting operating system files" box




We'll try to yank as much of this out as we can.


Please download The Avenger by Swandog46 to your Desktop.





    1.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Quote

Files to delete:
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\Vincent Christopher\us145info.exe

Folders to delete:
C:\TEMP\tn3
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\edcA01




Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Copy/Paste all the text  in the above quote box into this window by
  • MAKE SURE THE TEXT MATCHES EXACTLY
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt

4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log  

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #24 on: January 13, 2008, 09:13:46 PM »
Hello,

In the requested window I don't see any listing, on either tab, for mrxsmbb.

Also, why is it that when I clicked that window shut by clicking its close box in its upper right hand corner, my browser closed, as well?

Should I simply proceed with the Avenger instructions?

Thanks.

Best,

vince

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #25 on: January 13, 2008, 10:59:59 PM »
Hello,

In the requested window I don't see any listing, on either tab, for mrxsmbb.

I've ran into that before, which is why I asked if you had xp cds or the recovery console installed. We wwill have to go that route to disable the sevice.


Quote
Also, why is it that when I clicked that window shut by clicking its close box in its upper right hand corner, my browser closed, as well?

Not sure, unless in windows infinate wisdom, it's relating that window with a browser.


Quote
Should I simply proceed with the Avenger instructions?

Yes. the folders, each have at least one BHO vundo in them.


PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #26 on: January 13, 2008, 11:11:22 PM »
Hi,

What service are we trying to delete/disable?

Also, is it possible to give me the instructions to perform this now, before I execute the Avenger instructions, that way I can do it all in one sequence? Because as you know, every time I perform a sequence I have to close all the apps and documents I'm presently using.

If so, let me know whether I should disable the service first or execute Avenger first.

Thanks much, again.

Yours,

vince

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #27 on: January 13, 2008, 11:40:47 PM »
Try to disable the service first and rename the file. You can report everthing after you are finished.

But first, let's find out which reg keys are involved.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 
 
Quote
RegSearch Options File 
 
[Search] 

mrxsmbb.sys


[Exclude] 
 

[Options] 
Filter=KVDLUI
 

2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.



These are the instructions for getting to the recovery console with the disks

-Start your computer with the Windows Setup floppy disks or with the Windows CD-ROM.
-At the 'Welcome to Setup' screen, press F10 or press R.
You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
-Select the appropriate number for the Windows installation that you want to repair.
-Type the administrator password and press Enter. If the administrator password does not exist, just press Enter.


When doing this, any thing you see in curly brackets {} means an action, for example {space} means 1 space and {enter} means enter key

From the recovery console at the command prompt type the following

listsvc{enter}
disable{space}mrxsmbb{enter}
ren{space}C:\WINDOWS\System32\drivers\mrxsmbb.sys{space}mrxsmbb.vir{enter}

restart your computer.

The first command gives you a list of services, you can confirm the name from this list.
The second will disable it and the thrird will rename the file we want to test.

when you enter the disable command, windows will show you the current start type for the service, before changing it. Please make a note of it.



-After the file has been renamed, type exit to leave the recovery console, remove the Windows Setup floppy or Windows CD-ROM and restart the system normally.


After you reboot you will have to find the file so you can submit it to virustotal. Use the search function to find the file mrxsmbb.vir


.
I know it seems like a lot, just take your time and do it one step at a time.  8)

« Last Edit: January 14, 2008, 12:23:18 AM by oldman »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #28 on: January 14, 2008, 08:18:12 AM »
Hi, oldman,

You know, this was a really bad time to catch these virii and have to do all this technical work on my computer, as my 80 yo dad is in increasingly poor health, which itself is extremely stressful and time consuming.

Is there not an automated solution, like one or more pieces of software I can run, to resolve all this?

The only symptom I'm getting presently is a large popup window opening up sometimes while browsing.

I say this knowing and appreciating that your manual, hand-on diagnostic approach is the most system-specific and therefore the best.

Just curious.

Warmly,

vince

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #29 on: January 14, 2008, 09:46:09 AM »
First, sorry about your father, was there myself a few years ago.

If there was, I'd definately be using it. Do the avenger, those are the ones I think could be the cause of more problems. The service may be protecting them or it may just be protecting itself. We can deal with it after.

Take care.