Author Topic: PowerKord 's vundo  (Read 53395 times)

0 Members and 1 Guest are viewing this topic.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #30 on: January 15, 2008, 06:12:56 AM »
Hey,

Thanks for your expression of compassion re my father. Hope your experience wasn't too trying, or if it was, I hope it somehow led to a better and higher truth, level of understanding, or expression of love between you.

Here is the Avenger Log, followed by a new HJT log. BTW, any way to easily remove the remnant/s of Ardamax Keylogger Lite from my system? It's not listed in Add/Remove programs, but as you can see from the HJT log, it appears to be running, right?

And is there any way to tell if it's been sending my data to a server? Thanks.

Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uehvytxh

*******************

Script file located at: \??\C:\uoyavgtr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\core.cache.dsk deleted successfully.
File C:\Documents and Settings\Vincent Christopher\us145info.exe deleted successfully.
Folder C:\TEMP\tn3 deleted successfully.
Folder C:\WINDOWS\system32\vt8 deleted successfully.
Folder C:\WINDOWS\system32\ob3 deleted successfully.
Folder C:\WINDOWS\system32\nz0 deleted successfully.
Folder C:\WINDOWS\system32\che9 deleted successfully.
Folder C:\WINDOWS\system32\mp2 deleted successfully.
Folder C:\WINDOWS\system32\edcA01 deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:49 AM, on 1/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\nakido.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 5137 bytes
« Last Edit: January 15, 2008, 06:17:35 AM by PowerKord »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #31 on: January 16, 2008, 09:01:32 PM »
Well I don't know If I achieved all that, but I do know know, that no matter how painful, stressful it was at the time, I'm glad I was there.

Now on a brighter note, how is your computer? When you get a chance check out that other file please.

I hope you are not reading too much into "close all other applications". It just means any windows, browser you may have opened or minimized. Just in case of a reboot, windows won't have to try to close them for you.


The keylogger is designed for steath, so you probably won't find it in add/remove.

There are manual removal instructions, forget about the link to the removal tool, it's a link to spyware doctor and the free version will only detect it.

http://www.2-spyware.com/remove-ardamax-keylogger.html

Spyware Doctor is supposed to work, but it's not free. Spybot or superantispyware may work and they are free. I'd suggest giving SAS a shot. note sas may find the combofix/avenger files.

I'll you you the instructions

Download  superantispyware

First update SAS Then boot into safe mode.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- CHECK ALL BOXES




Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked.

If you fix this line in HJT, it shouldn't start at startup. I can't tell if it's sending any info or not.

O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe

If you arre sure about that 024 line you can fix it also.

Sorry for the delay, a bit under the weather.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #32 on: January 18, 2008, 12:20:35 PM »
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 1/18/2008 6:07:03 AM for strings:
;  'mrxsmbb.sys'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data 
; HKEY_LOCAL_MACHINE  HKEY_USERS 


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mrxsmbb]
"ImagePath"="System32\\drivers\\mrxsmbb.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mrxsmbb]
"ImagePath"="System32\\drivers\\mrxsmbb.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmbb]
"ImagePath"="System32\\drivers\\mrxsmbb.sys"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\drivers\\mrxsmbb.sys"

; End Of The Log...

--------------------------------------
I also ran SUPERAntiSpyware.

Now, re the procedure involving my Windows Setup floppy or Windows CD-ROM -- my ThinkPad came with none. For system re-installs all data is contained on a specially partitioned section of my hard drive; at startup I press F10 to call it up. I did so just now but it gives me just two options: full reformat with new install, and one other option I can't recall right now but it was not a repair option.

Please advise.

I also fixed/deleted the HJT line for Ardamax, the line for the desktop clip art, and one other line that apparently did not belong there. Last, I also deleted a line containing some sort of file-sharing program...nakido.exe or something like that? Just curious as to why you did not mention some of these other errant lines to me.

Last, you advised me to "check out that other file..." Which one? Did I do it already?

Thanks, and I await your further instruction on all of this.

vince

LATEST HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:49 AM, on 1/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 4750 bytes
« Last Edit: January 18, 2008, 01:24:28 PM by PowerKord »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #33 on: January 18, 2008, 05:56:09 PM »
This is the file I'm concerned about C:\WINDOWS\System32\drivers\mrxsmbb.sys It's a play on mrxsmb.sys which is a valid MS file.

I'll try to find a way to safely disable the service so we can check out the file.

The recovery console is one way, but you don't appear to have one. I'll get back to you.


How is everything else?

Both nakido.exe  and the keylogger are valid program/processes. Neither will install without your knowledge, so no need to suspect them. You installed the key logger yourself.
« Last Edit: January 20, 2008, 05:21:39 AM by oldman »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #34 on: January 18, 2008, 11:39:57 PM »
Hi, oldman,

(BTW, I'd be pleased to address you by your actual first name if you'd care to provide it. I'm assuming it's not "oldman"; though please forgive me if it is.)

I just searched my system and did find the file in question, in the location you specify. It's listed as an 84KB system file.

I deleted nakido.exe about 24 hours ago using HJT; you say it's valid but I did not bring it onto my system. Isn't it likely it came onboard stealthily?

Re the keylogger, I did install it some time ago, but from what I recall it didn't work properly and now I find it's apparently still running. I think it's gone now, though; would you concur?

BTW, I'm still getting these popups appearing. I just did a little test: it seems that whenever I perform a Google search from FireFox--but not SeaMonkey--a popup window appears. Is this a good clue?

Last, again, when you request that I "check out that other file..." do you refer to the file in question mentioned above, that we've been discussing?

Best,

vince
« Last Edit: January 18, 2008, 11:41:50 PM by PowerKord »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #35 on: January 20, 2008, 04:47:19 AM »
Hi PowerKord , I've been called oldman for so long, I probably won't answer to anythind else. I even get birthday cards, Christmas presents etc,addressed to oldman.

Did SAS report removing ardamax? Fixing the line in HJT should prevent it from starting on startup.

As far as Nakido, as mentioned before, it is added by choice, quote from Bleeping Computers

"Added by the Nakido file sharing software. This software allows you to share files with other people on the Nakido network."

I don't know if you do any file sharing, but if you do, then perhaps its a requirement of that site.

It should appear in add/remove as Nakido. Again nothing sneaky about it.


Last I checked, you are one of 3 people in the world that has posted a log and own that file/driver. I've requested advice on the best way to diasble this service for investigation.
The best is via the recovery consle, but OEMs don;t have that feature.

I haven't forgotten about you.
« Last Edit: January 20, 2008, 05:22:35 AM by oldman »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #36 on: January 20, 2008, 08:59:22 AM »
Hi,

1. SAS did not even find Ardamax.

2. Is the presence of this bogus driver file on my system the reason I'm still getting popup windows? Is the virus contained in that one file?

Thanks.

Regards,

vince

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #37 on: January 20, 2008, 09:22:31 AM »
Hi,

1. SAS did not even find Ardamax.

2. Is the presence of this bogus driver file on my system the reason I'm still getting popup windows? Is the virus contained in that one file?


You are going to have to take care of the keylogger manually I suppose. I'll check with some other and see if they know of an easy way.

I'mm 99% sure that it's bogus, it's that 1% that makes me reluctant to go after it destructively. If it's what I suspect, it's a downloader, so it's downloading the odd bug. Sorry.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #38 on: January 20, 2008, 02:21:49 PM »
Hi,

>>>If it's what I suspect, it's a downloader, so it's downloading the odd bug.

1. Please explain!

2. And what did mean exactly when you said I was only one of three people to have this file? Is it some kind of very rare virus, or rare method of infection?

3. what do I do about it?

Thanks!

vince


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #39 on: January 20, 2008, 07:26:29 PM »
I think that it's may be a trojan that goes by, well one name anyway, cutwail. I'm only basing this on it's behavior. It's not that it's rare, the name it's using is rare. I found only your log and 2 others when searching for that name.

There have been two cases on this forum recently, one I worked on and one other later. Both times the recovery console was used to disable the service so the file could be confirmed as infected.

Just hang on a solution to the recovery console is at hand.  :)

Please delete the copy of combofix.exe you have now. Download and run a new copy. Please post the new log. We want to be as clean as possible before we move on. We are close.

« Last Edit: January 20, 2008, 09:06:20 PM by oldman »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #40 on: January 20, 2008, 11:20:15 PM »
So merely deleting that one file manually won't do it? What will happen--it will recreate itself elsewhere on my system?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: PowerKord 's vundo
« Reply #41 on: January 20, 2008, 11:22:46 PM »
it will recreate itself elsewhere on my system?
Yes... it's quite simple for a trojan to do so...
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #42 on: January 20, 2008, 11:31:33 PM »
So merely deleting that one file manually won't do it? What will happen--it will recreate itself elsewhere on my system?

Problem being right now, If you can't rename it, you can't delete it. I had you try renaming it all ready and you got an access denied.

Anyway go ahead and get the new combofix and we'll carry on.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #43 on: January 21, 2008, 04:55:12 AM »
ComboFix 08-01-20.1 - Vincent Christopher 2008-01-20 21:56:03.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.187 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-21 to 2008-01-21  )))))))))))))))))))))))))))))))
.

2008-01-20 22:05 . 2008-01-20 22:05   <DIR>   d--------   C:\TEMP\tn3
2008-01-20 22:03 . 2008-01-20 22:03   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-18 01:51 . 2008-01-18 01:51   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-18 01:30 . 2008-01-18 01:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 01:29 . 2008-01-18 01:54   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-18 01:29 . 2008-01-18 01:29   <DIR>   d--------   C:\Documents and Settings\Vincent Christopher\Application Data\SUPERAntiSpyware.com
2008-01-18 01:25 . 2008-01-18 01:25   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 17:18 . 2008-01-12 17:18   2,338   --a------   C:\WINDOWS\system32\tmp.reg
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 21:22   ---------   d-----w   C:\Program Files\NoteTab Pro
2008-01-12 05:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 02:55:38   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 02:55:38   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 01:26:42   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 02:55:38   245,760   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 01:26:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 02:55:38   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 01:26:44   6,291,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-21 02:55:40   6,295,552   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-11 01:26:44   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 02:55:40   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2006-02-13 10:16:39   155,702   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\bcicon.exe
+ 2008-01-18 06:13:43   155,702   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\bcicon.exe
- 2006-02-13 10:16:39   34,304   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-01-18 06:13:43   34,304   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2006-02-13 10:16:39   8,192   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-01-18 06:13:43   8,192   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2006-02-13 10:16:40   3,584   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-01-18 06:13:43   3,584   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2006-02-13 10:16:40   114,688   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-01-18 06:13:43   114,688   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2006-02-13 10:16:39   16,384   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-01-18 06:13:43   16,384   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2006-02-13 10:16:39   12,800   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\pubs.exe
+ 2008-01-18 06:13:43   12,800   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\pubs.exe
- 2006-02-13 10:16:40   22,528   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-01-18 06:13:43   22,528   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2006-02-13 10:16:39   45,056   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-01-18 06:13:43   45,056   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2006-02-13 10:16:39   90,112   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-01-18 06:13:43   90,112   ----a-r   C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-01-18 06:29:52   29,696   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-18 06:29:52   18,944   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-18 06:29:52   65,024   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-01-11 01:26:58   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-21 02:55:56   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-21 03:04:32   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat
.
-- Snapshot reset to current date --
.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #44 on: January 21, 2008, 04:56:09 AM »
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29 114688]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08 2266712]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []
S4 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 22:05:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-20 22:10:24 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-21 03:10:16
ComboFix2.txt  2008-01-12 06:25:22
ComboFix3.txt  2008-01-12 03:31:37
ComboFix4.txt  2008-01-11 23:49:35
ComboFix5.txt  2008-01-11 03:27:31