Solved

how to repair a nexplorer.exe infected with Vundo trojan?

Posted on 2007-12-04
14
2,587 Views
Last Modified: 2013-12-09
Hello Experts.

I'm using McAfee anti virus and he sometimes let me know that explorer.exe process is infected with Vundo.dr trojan. I have tried to remove it with vundofix and although it erased the corrupted files it doesnt seem to have taken care of explorer.exe which mcafee keeps on popping up again.
the anti virus itself can't do it by himself and only erases file that suddenly appear in my temporary internet files folder. also my explorer.exe process takes 77MB of ram so this also indicates of a malware presence.
what should I do?

Thanks in advance,
No_Problem.
0
Comment
Question by:No_problem
  • 6
  • 6
  • 2
14 Comments
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a  HijackThis log (see below).

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

If you are having problems uploading it you can use the "Attach Code Snippet"

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

--------------------------------------------------------------------

Also post a HijackThis log so we can see what is going on.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

0
 
LVL 1

Author Comment

by:No_problem
Comment Utility
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Better but a Combofix script is needed here. I can put it together but not until later this evening. One of the other experts may look in and give you something. If not I'll get back to this later.

Can you also run HijackThis and post that log.
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Here is the script...


1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:


---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\aajasjsp.dll
C:\WINDOWS\system32\gebbbby.dll
C:\WINDOWS\system32\ddcyw.dll

Folder::
C:\Documents and Settings\All Users\Application Data\Trymedia

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}]      
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E1D7759-C8FE-4824-B396-79AF2D625627}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbbby]

                  
---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
 
LVL 1

Author Comment

by:No_problem
Comment Utility
the combofix log:

ComboFix 07-12-02.6 - Burdinov 12/05/2007  7:17:11.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1255.1.1033.18.241 [GMT 2:00]
Running from: C:\Documents and Settings\Burdinov\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Burdinov\Desktop\CFScript.txt
 * Created a new restore point

FILE
C:\WINDOWS\system32\aajasjsp.dll
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\gebbbby.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{091B6D34-FED1-358F-AE4C-0940A89D71E2}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{116E82C8-3DDC-BBF4-0EBF-333A35423A97}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{2C4A779D-CEB1-DF8F-34A2-2358799F8C48}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{B0197011-66DD-932B-0A26-2FF9D6DE1B35}
C:\WINDOWS\system32\aajasjsp.dll
C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\gebbbby.dll

.
(((((((((((((((((((((((((   Files Created from 2007-11-05 to 2007-12-05  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 22:22      ---------      d-----w      C:\Program Files\ICQ
2007-11-30 07:59      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\OpenOffice.org2
2007-11-29 08:50      ---------      d-----w      C:\Program Files\DeMule2007
2007-11-26 22:55      ---------      d-----w      C:\Program Files\DOSBox-0.72
2007-11-26 12:53      ---------      d-----w      C:\Program Files\Ad-Aware 2007
2007-11-23 09:40      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-21 14:58      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Copy of POPWWPROFILES
2007-11-20 23:14      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
2007-11-20 23:11      ---------      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 18:00      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-11-18 17:59      ---------      d-----w      C:\Program Files\Comic Life 1.3.4
2007-11-11 09:34      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-11-10 11:04      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\bang
2007-11-05 16:56      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\Skype
2007-11-05 15:00      ---------      d-----w      C:\Program Files\Ubisoft
2007-11-03 20:34      639,224      ----a-w      C:\WINDOWS\system32\drivers\sptd.sys
2007-11-03 06:22      ---------      d-----w      C:\Program Files\BitLord
2007-11-03 00:54      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\uTorrent
2007-10-30 12:11      ---------      d--h--r      C:\Documents and Settings\Burdinov\Application Data\SecuROM
2007-10-30 11:21      ---------      d-----w      C:\Program Files\RocketDock
2007-10-29 14:08      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-28 22:33      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-10-28 22:31      ---------      d-----w      C:\Program Files\Common Files\Macrovision Shared
2007-10-28 10:03      ---------      d-----w      C:\Program Files\ffdshow
2007-10-28 00:28      ---------      d-----w      C:\Program Files\MagicISO
2007-10-17 20:56      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\mIRC
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-10-17 07:10      ---------      d-----w      C:\Program Files\uTorrent
2007-10-16 20:52      ---------      d-----w      C:\Program Files\Skype
2007-10-16 20:52      ---------      d-----w      C:\Program Files\Common Files\Skype
2007-10-15 14:56      ---------      d-----w      C:\Program Files\Winamp
2007-10-15 08:02      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-14 09:23      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Last.fm
2007-10-14 09:21      ---------      d-----w      C:\Program Files\Last.fm
2007-10-10 15:19      ---------      d-----w      C:\Program Files\DVDlabPro2
2007-03-27 21:14      32      -c--a-r      C:\Documents and Settings\All Users\hash.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 01:58 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Burdinov^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Burdinov\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
08/30/2007 01:19 PM      87392      --a------      C:\Program Files\Ad-Aware 2007\AAWTray.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
10/10/2007 07:51 PM      39792      --a------      C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
                  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
                  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
02/07/2007 04:21 PM      54832      --a------      C:\Program Files\PowerDVD\Language\Language.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
10/14/2003 06:36 PM      38984      --a--c---      C:\PROGRA~1\ICQ\ICQNet.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
                  C:\Program Files\Messenger\msmsgs.exe /background
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
                  C:\Program Files\MSN Messenger\msnmsgr.exe /background
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
07/09/2001 10:50 AM      155648      --a------      C:\WINDOWS\system32\NeroCheck.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
10/07/2003 09:48 AM      147514      --a------      C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
06/16/2007 01:15 AM      366400      --a--c---      C:\Program Files\Picasa2\PicasaMediaDetector.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
                  C:\Program Files\QuickTime\qttask.exe -atboottime
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
02/07/2007 04:24 PM      71216      ---------      C:\Program Files\PowerDVD\PDVDServ.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
11/10/2006 12:35 PM      90112      --a------      C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
07/12/2007 03:00 AM      132496      --a--c---      C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\PowerDVD\[u]0[/u]00.fcl
R3 PAC207;SoC PC-Camer@;C:\WINDOWS\system32\DRIVERS\pfc027.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);C:\WINDOWS\system32\Drivers\ezusb.sys
S2 EZUSBDEV;Cypress General Purpose USB Driver w/ Keil Monitor (ezusb2.sys);C:\WINDOWS\system32\Drivers\ezusb2.sys
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4388d267-95b1-11dc-8b6c-0019e08f9eb1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 07:24:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 12/05/2007  7:26:28 - machine was rebooted
.
      --- E O F ---



since uploading didn't made it possible to see the hijackthis log ill upload it all here:

im adding with "attach code snippet"
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:30:58, on 05/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee VirusScan\SHSTAT.EXE

C:\Program Files\Common Framework\UpdaterUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Common Framework\FrameworkService.exe

C:\Program Files\McAfee VirusScan\Mcshield.exe

C:\Program Files\McAfee VirusScan\VsTskMgr.exe

C:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HijackThis\HijackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174239232889

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\VsTskMgr.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
 

--

End of file - 5489 bytes

Open in new window

0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Looks better...how is it running? Watch out when using the torrents and P2P, it's where many people get infected and if I had to guess that's how you did too here.

Good luck,
Dave
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
I see a few things I would suggest looking into these. A few bad Rootkits out lately have been known to modify the tcpip.sys file, and since yours is from October I would be curious... (might have just been a MS KB update though...)

2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS

Verify this is from Daemon Tools
2007-11-03 20:34      639,224      ----a-w      C:\WINDOWS\system32\drivers\sptd.sys

Might try opening this in notepad, and see if you can identify it that way...
2007-11-20 23:14      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl0.dat

Other than that, looks good....
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:No_problem
Comment Utility
C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
is empty aside from two square chars.

C:\WINDOWS\system32\drivers\sptd.sys
might be associated with Alcohol 120% which is Daemon tools equivalent.


UPDATE:
now after all this cleaning explorer.exe is still in his 50+ MB.
Also McAfee has detected Vundo in svchost.exe now...
this is spreading...
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 193 total points
Comment Utility
Like johnb mentioned, you may be looking at a rootkit here.

Download Rootkit Revealer here (bottom of page):

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Unzip the files and run RootkitRevealer.exe.

Press the scan button. Try to leave the system idle while running.

When done select File-->Save...and post the contents of the log in a Code Snippet window.

Also, rename HijackThis to something else, anything like findvundo.exe. Re-run it and give the log.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 192 total points
Comment Utility
Also,  I like the Sophos AR scanner.....

Sophos Anti-Rootkit - Find and remove any rootkit that is hidden ...
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Also.....
Need to find out what module UNDER explorer.exe is using the CPU....

Process Explorer for Windows v10.21
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

Double click explorer.exe. Then Select the Threads tab, and see what .exe or .dll is using the CPU, and then select it by double clicking it....and copying/pasting the call stack here.....
0
 
LVL 1

Author Comment

by:No_problem
Comment Utility
Ok, here's the results:
the rootkit log is in the code snippet.
I'v tried Sophos and he didn't detect anything. SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out. mcafee didnt post more infections for this few hours but I suspect the trojan is still in the system because of the bloated explorer.exe.

the main two CPU threads in explorer.exe by Process Explorer are posted here

ntoskrnl.exe!ExReleaseResourceLite+0x206
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerformanceCounter+0x5af
ntoskrnl.exe!ZwYieldExecution+0xb78
ntdll.dll!KiFastSystemCallRet
stobject.dll+0x1513
stobject.dll!DllCanUnloadNow+0x1fa4
kernel32.dll!GetModuleFileNameA+0x1b4

-------------------------------------------------------------------------------

ntoskrnl.exe!ExReleaseResourceLite+0x206
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerformanceCounter+0x5af
ntoskrnl.exe!ZwYieldExecution+0xb78
ntdll.dll!KiFastSystemCallRet
stobject.dll+0x1513
stobject.dll!DllCanUnloadNow+0x1fa4
kernel32.dll!GetModuleFileNameA+0x1b4
---------------------------------------------------------------------------------

I can't make anything of this so good luck :-)
HKU\.DEFAULT\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.

HKU\.DEFAULT\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.

HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.

HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.

HKU\S-1-5-21-1606980848-823518204-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY*	10/30/2007 2:11 PM	0 bytes	Key name contains embedded nulls (*)

HKU\S-1-5-18\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.

HKU\S-1-5-18\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.

HKLM\SECURITY\Policy\Secrets\SAC*	3/18/2007 7:01 PM	0 bytes	Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*	3/18/2007 7:01 PM	0 bytes	Key name contains embedded nulls (*)

HKLM\SOFTWARE\Adobe\SubInstall\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\SubProductList	10/29/2007 12:32 AM	37 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName	3/23/2007 8:50 AM	26 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName	3/23/2007 8:52 AM	26 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned	12/5/2007 8:39 PM	4 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned	12/5/2007 8:39 PM	102 bytes	Windows API length not consistent with raw hive data.

HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg	11/3/2007 10:29 PM	0 bytes	Access is denied.

Open in new window

0
 
LVL 1

Author Comment

by:No_problem
Comment Utility
correction: the first thread in Explorer.exe is this one (I accidently posted two same threads in the message above):

ntoskrnl.exe!ExReleaseResourceLite+0x206
win32k.sys+0x2f70
win32k.sys+0x3776
win32k.sys+0x3793
ntdll.dll!KiFastSystemCallRet
Explorer.EXE+0xff89
SHLWAPI.dll!Ordinal505+0x3e9
kernel32.dll!GetModuleFileNameA+0x1b4
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
>""SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out.""<

Where was it found? Could be in restore points or one of the quarantine folders like combofix's qoobox.

I would recommend you do this.

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
0
 
LVL 1

Author Comment

by:No_problem
Comment Utility
No, they  were in the C:\windows\system32 folder

I uninstalled combofix.
now windows runs fine by my opinion and McAfee isn't shooting warrnings but the explorer.exe is still big. it might not be the problem but as a last resort: is it advisable to kill the explorer process, delete the file and copy an alternative explorer.exe from a friend?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now