Still infected? [Archive] - Safer-Networking Forums

Eldron

2007-08-10, 01:29

Hi,
I got infected with a few (or just one acting as a few??) Trojans recently and was very happy to find so much advise on this website!
I thought i had got rid of the trojan when i managed to stop the popup windows, asking me to download some "antivirus" software, but my norton firewall kept blocking attempts from several trojans to go online-yet the virus scan wouldn't find any of them.
the attemps came from : Magicantispy, adware.purityscan, infostealer.ldpinch, download, trojan.nebuler and trojan.vundo.
Just out of interest - is this just one trojan posing as many?
Well, i'll better get to the point of this post! So after i realized that i got infected with virtumundo i did everything that i could find in this forum to get rid of it (spybot, virtumundobegone, combofix, vundofix)...
The popup haven't come back yet, but i was wondering if there is any way to tell if it has really worked...? And how comes that norton doesn't pick up on it at all, being quite a well known trojan?
I included a Hijackthis log, maybe someone can tell me if it's still out there, just sleeping in a corner of my computer...
Thanks for your help!
Jan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:05:25, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {CEEFA709-ED63-414B-8962-00254B92EC17} - C:\WINDOWS\system32\gebca.dll (file missing)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

pskelley

2007-08-10, 20:38

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You know Vundo is hard to get rid of, I see leftovers but nothing active. We will investigate, here is what I would like you to do.

1) Move HJT to the C:\ drive like this: C:\HJT\HiJackThis.exe <<< now rename HJT.exe, call it Eldron.exe or whatever you wish. It will look like this:
C:\HJT\Eldron.exe in the HJT log.

2) remove from your computer any of virtumundobegone, combofix, vundofix that is still on it, make sure you delete the backups and quarantine folders.

3) Restart the computer

4) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

5) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log
in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the uninstall list, the combofix report and a HJT log.

Thanks

Eldron

2007-08-10, 23:13

ok, here are the logs you wanted, hope you can tell me what's going. A norton scan today came up with another virtumonde, but it might have been the files that were quarantined by combofix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06:30, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccLgView.exe
C:\HJT\Eldron.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {CEEFA709-ED63-414B-8962-00254B92EC17} - C:\WINDOWS\system32\gebca.dll (file missing)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6719 bytes

Combofix log:

ComboFix 07-08-09.3 - "Whoever" 2007-08-10 21:59:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.213 [GMT 1:00]

((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))

2007-08-10 21:20 <DIR> d-------- C:\HJT
2007-08-10 00:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-10 00:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-10 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-10 00:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-10 00:09 <DIR> d-------- C:\DOCUME~1\Whoever\.housecall6.6
2007-08-09 12:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 11:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-09 10:52 <DIR> d-------- C:\VundoFix Backups
2007-08-09 09:17 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-07 09:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-07 09:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-07 09:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-07 01:40 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-08-07 01:18 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-07 01:16 48,824 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-07 01:16 108,728 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-01 19:59 <DIR> d-------- C:\Program Files\Bryxen Software
2007-08-01 19:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Bryxen Software
2007-07-30 12:31 <DIR> d-------- C:\Program Files\Runtime Software
2007-07-24 19:19 <DIR> d-------- C:\TELL ME MORE NV
2007-07-24 18:25 <DIR> d-------- C:\Program Files\MagicISO
2007-07-24 18:09 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-24 18:05 <DIR> d-------- C:\alc
2007-07-22 22:20 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-07-22 22:20 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-07-20 07:58 <DIR> d-------- C:\Program Files\Splitting
2007-07-19 16:40 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-07-19 16:40 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-07-19 16:40 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-07-19 16:40 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-07-19 16:40 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-07-19 16:40 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-07-19 16:40 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-07-19 16:39 <DIR> d-------- C:\Program Files\Auralog
2007-07-15 23:29 <DIR> d-------- C:\DOCUME~1\Whoever\APPLIC~1\WinRAR
2007-07-15 15:16 <DIR> d-------- C:\Program Files\thr
2007-07-14 02:06 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2007-07-11 04:11 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-07-11 02:46 <DIR> d-------- C:\Program Files\FriendBlasterPro

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-10 20:19 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-09 11:52 3190 --a------ C:\WINDOWS\mozver.dat
2007-08-08 20:05 --------- d-------- C:\Program Files\ICQ
2007-08-07 09:39 --------- d-------- C:\DOCUME~1\Whoever\APPLIC~1\Lavasoft
2007-08-07 01:22 --------- d-------- C:\Program Files\Symantec
2007-08-06 12:32 --------- d-------- C:\Program Files\Comodo
2007-07-15 22:46 --------- d-------- C:\Program Files\VideoLAN
2007-07-15 22:43 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-15 22:34 --------- d-------- C:\Program Files\Oberon Media
2007-07-08 10:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-01 01:48 200 --a------ C:\sccfg.sys
2007-06-27 17:42 --------- d-------- C:\DOCUME~1\Whoever\APPLIC~1\Comodo
2007-06-27 16:55 --------- d-------- C:\Program Files\Alwil Software
2007-06-27 16:02 --------- d-------- C:\Program Files\Norton AntiVirus
2007-06-21 18:26 264097 --a------ C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_2859.exe
2007-06-21 18:26 --------- d-------- C:\Program Files\PDFCreator Toolbar
2007-06-21 09:49 --------- d-------- C:\Program Files\MSN Messenger
2007-06-21 00:38 --------- d-------- C:\DOCUME~1\Whoever\APPLIC~1\SecondLife
2007-06-20 01:27 --------- d-------- C:\Program Files\Acro Software
2007-06-19 16:00 17536 --a------ C:\DOCUME~1\Whoever\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-12 10:59 --------- d-------- C:\Program Files\Messenger
2007-05-16 16:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2001-11-23 05:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEEFA709-ED63-414B-8962-00254B92EC17}]
C:\WINDOWS\system32\gebca.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 08:04]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 02:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56]

C:\Documents and Settings\Whoever\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMMyDocs"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoRecentDocsHistory"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoInstrumentation"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMMyDocs"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoRecentDocsHistory]"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"NoSharedDocuments"=0 (0x0)

R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 ST330;ST330;C:\WINDOWS\system32\drivers\st330.sys
S3 STBUS;STBUS;C:\WINDOWS\system32\drivers\stbus.sys
S3 STETH;SpeedTouch Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\steth.sys
S3 stppp;Speedtouch PPP Adapter Adapter;C:\WINDOWS\system32\DRIVERS\stppp.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b499aa-edea-11db-b24e-000e50b21dd6}]
AutoRun\command- J:\InstallTomTomHOME.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-08-10 20:39:58 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Whoever.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 22:01:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 22:03:11

Hijackthis Uninstall Log:

7-Zip 4.42
ACDSee 7.0 PowerPack
ACE Mega CoDecS Pack
Ad-Aware 2007
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
AnyDVD
AppCore
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AV
AviSynth 2.5
BT Voyager USB Driver
Canon S100
ccCommon
C-Media 3D Audio
Codec Pack - All In 1 6.0.3.0
Combined Community Codec Pack 2007-02-22
Cucusoft iPod Movie/Video Converter 2.00
Directory Submitter 1.0.24
DivX Web Player
DVD Ripper Platinum 4
Free eXPert PDF Reader
GetDataBack for FAT
HijackThis 2.0.2
ICQ
Image Resizer Powertoy for Windows XP
Java(TM) 6 Update 2
LiveReg (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Magic ISO Maker v5.3 (build 0229)
Microsoft .NET Framework 1.1
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0.0.4)
MSRedist
Nero 6 Ultra Edition
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
PDFCreator
PDFCreator Toolbar
PSP ISO Compressor
QuickTime
Real Alternative 1.51
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)

SPBBC 32bit
SpeedTouch USB Software
Splitting 4.3
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
TELL ME MORE
Total Video Converter 3.02

VobSub v2.23 (Remove Only)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant

WinRAR archiver

thank you very much for your help!

pskelley

2007-08-10, 23:32

Thanks for the feedback, that is why I asked you to remove the old stuff from your computer, from the combofix log:
2007-08-09 10:52 <DIR> d-------- C:\VundoFix Backups <<< delete that folder and let's clean the last dead Vundo file and run a scan to see if anything is hidden.

Uninstall list: I see no obvious malware or security issues, you might want to look for stuff you don't know or no longer use. I see a lot of codec, you may want to read this information:
http://forums.spybot.info/showthread.php?t=7344

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) Ad-Aware 2007 is new and it may block HJT, exit it until you finish.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(if you set your Start Page to Blank in your Internet Explorer browser on purpose, leave the first two lines)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CEEFA709-ED63-414B-8962-00254B92EC17} - C:\WINDOWS\system32\gebca.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Let's run this scan, it will take a while:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

pskelley

2007-08-18, 01:51

No response since 8/10/2007, topic is closed

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.