No_problem
asked on
how to repair a nexplorer.exe infected with Vundo trojan?
Hello Experts.
I'm using McAfee anti virus and he sometimes let me know that explorer.exe process is infected with Vundo.dr trojan. I have tried to remove it with vundofix and although it erased the corrupted files it doesnt seem to have taken care of explorer.exe which mcafee keeps on popping up again.
the anti virus itself can't do it by himself and only erases file that suddenly appear in my temporary internet files folder. also my explorer.exe process takes 77MB of ram so this also indicates of a malware presence.
what should I do?
Thanks in advance,
No_Problem.
I'm using McAfee anti virus and he sometimes let me know that explorer.exe process is infected with Vundo.dr trojan. I have tried to remove it with vundofix and although it erased the corrupted files it doesnt seem to have taken care of explorer.exe which mcafee keeps on popping up again.
the anti virus itself can't do it by himself and only erases file that suddenly appear in my temporary internet files folder. also my explorer.exe process takes 77MB of ram so this also indicates of a malware presence.
what should I do?
Thanks in advance,
No_Problem.
ASKER
ok did everything and here's the logs:
https://filedb.experts-exchange.com/incoming/ee-stuff/5987-ComboFix.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5987-ComboFix.txt
Better but a Combofix script is needed here. I can put it together but not until later this evening. One of the other experts may look in and give you something. If not I'll get back to this later.
Can you also run HijackThis and post that log.
Can you also run HijackThis and post that log.
Here is the script...
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -----
File::
C:\WINDOWS\system32\aajasj sp.dll
C:\WINDOWS\system32\gebbbb y.dll
C:\WINDOWS\system32\ddcyw. dll
Folder::
C:\Documents and Settings\All Users\Application Data\Trymedia
Registry::
[-HKEY_LOCAL_MACHINE\~\Bro wser Helper Objects\{17B88DF7-95AB-44D A-8ECD-5FF 0B6CAEC67} ]
[-HKEY_LOCAL_MACHINE\~\Bro wser Helper Objects\{1E1D7759-C8FE-482 4-B396-79A F2D625627} ]
[hkey_local_machine\softwa re\microso ft\windows \currentve rsion\expl orer\shell executehoo ks]
"{17B88DF7-95AB-44DA-8ECD- 5FF0B6CAEC 67}"=-
[-HKEY_LOCAL_MACHINE\softw are\micros oft\window s nt\currentversion\winlogon \notify\ge bbbby]
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -----
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
-A new HijackThis log
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
C:\WINDOWS\system32\aajasj
C:\WINDOWS\system32\gebbbb
C:\WINDOWS\system32\ddcyw.
Folder::
C:\Documents and Settings\All Users\Application Data\Trymedia
Registry::
[-HKEY_LOCAL_MACHINE\~\Bro
[-HKEY_LOCAL_MACHINE\~\Bro
[hkey_local_machine\softwa
"{17B88DF7-95AB-44DA-8ECD-
[-HKEY_LOCAL_MACHINE\softw
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
-A new HijackThis log
ASKER
the combofix log:
ComboFix 07-12-02.6 - Burdinov 12/05/2007 7:17:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18. 241 [GMT 2:00]
Running from: C:\Documents and Settings\Burdinov\Desktop\ ComboFix.e xe
Command switches used :: C:\Documents and Settings\Burdinov\Desktop\ CFScript.t xt
* Created a new restore point
FILE
C:\WINDOWS\system32\aajasj sp.dll
C:\WINDOWS\system32\ddcyw. dll
C:\WINDOWS\system32\gebbbb y.dll
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{091B6D 34-FED1-35 8F-AE4C-09 40A89D71E2 }
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{116E82 C8-3DDC-BB F4-0EBF-33 3A35423A97 }
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{2C4A77 9D-CEB1-DF 8F-34A2-23 58799F8C48 }
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{B01970 11-66DD-93 2B-0A26-2F F9D6DE1B35 }
C:\WINDOWS\system32\aajasj sp.dll
C:\WINDOWS\system32\ayadd. bak1
C:\WINDOWS\system32\ayadd. ini
C:\WINDOWS\system32\ddaya. dll
C:\WINDOWS\system32\gebbbb y.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))) )))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2007-12-01 22:22 --------- d-----w C:\Program Files\ICQ
2007-11-30 07:59 --------- d-----w C:\Documents and Settings\Burdinov\Applicat ion Data\OpenOffice.org2
2007-11-29 08:50 --------- d-----w C:\Program Files\DeMule2007
2007-11-26 22:55 --------- d-----w C:\Program Files\DOSBox-0.72
2007-11-26 12:53 --------- d-----w C:\Program Files\Ad-Aware 2007
2007-11-23 09:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Copy of POPWWPROFILES
2007-11-20 23:14 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
2007-11-20 23:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 18:00 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-11-18 17:59 --------- d-----w C:\Program Files\Comic Life 1.3.4
2007-11-11 09:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-11-10 11:04 --------- d-----w C:\Documents and Settings\Burdinov\Applicat ion Data\bang
2007-11-05 16:56 --------- d-----w C:\Documents and Settings\Burdinov\Applicat ion Data\Skype
2007-11-05 15:00 --------- d-----w C:\Program Files\Ubisoft
2007-11-03 20:34 639,224 ----a-w C:\WINDOWS\system32\driver s\sptd.sys
2007-11-03 06:22 --------- d-----w C:\Program Files\BitLord
2007-11-03 00:54 --------- d-----w C:\Documents and Settings\Burdinov\Applicat ion Data\uTorrent
2007-10-30 12:11 --------- d--h--r C:\Documents and Settings\Burdinov\Applicat ion Data\SecuROM
2007-10-30 11:21 --------- d-----w C:\Program Files\RocketDock
2007-10-29 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-28 22:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-28 22:31 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-28 10:03 --------- d-----w C:\Program Files\ffdshow
2007-10-28 00:28 --------- d-----w C:\Program Files\MagicISO
2007-10-17 20:56 --------- d-----w C:\Documents and Settings\Burdinov\Applicat ion Data\mIRC
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver s\TCPIP.SY S.ORIGINAL
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver s\TCPIP.SY S
2007-10-17 07:10 --------- d-----w C:\Program Files\uTorrent
2007-10-16 20:52 --------- d-----w C:\Program Files\Skype
2007-10-16 20:52 --------- d-----w C:\Program Files\Common Files\Skype
2007-10-15 14:56 --------- d-----w C:\Program Files\Winamp
2007-10-15 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-14 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-10-14 09:21 --------- d-----w C:\Program Files\Last.fm
2007-10-10 15:19 --------- d-----w C:\Program Files\DVDlabPro2
2007-03-27 21:14 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [08/04/2004 02:56 AM]
"RocketDock"="C:\Program Files\RocketDock\RocketDoc k.exe" [09/02/2007 01:58 PM]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"ShStatEXE"="C:\Program Files\McAfee VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Prog ram Files\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core- Static\CLI Start.exe" [11/10/2006 12:35 PM]
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\polic ies\explor er]
"NoRecentDocsMenu"= 1 (0x1)
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupfold er\C:^Docu ments and Settings^Burdinov^Start Menu^Programs^Startup^Adob e Gamma.lnk]
path=C:\Documents and Settings\Burdinov\Start Menu\Programs\Startup\Adob e Gamma.lnk
backup=C:\WINDOWS\pss\Adob e Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ AAWTray]
08/30/2007 01:19 PM 87392 --a------ C:\Program Files\Ad-Aware 2007\AAWTray.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Adobe Reader Speed Launcher]
10/10/2007 07:51 PM 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe -startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSSchedu ler]
C:\Program Files\Common Files\InstallShield\Update Service\is sch.exe -start
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ LanguageSh ortcut]
02/07/2007 04:21 PM 54832 --a------ C:\Program Files\PowerDVD\Language\La nguage.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Mirabilis ICQ]
10/14/2003 06:36 PM 38984 --a--c--- C:\PROGRA~1\ICQ\ICQNet.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ NeroFilter Check]
07/09/2001 10:50 AM 155648 --a------ C:\WINDOWS\system32\NeroCh eck.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Network Associates Error Reporting Service]
10/07/2003 09:48 AM 147514 --a------ C:\Program Files\Common Files\Network Associates\TalkBack\TBMon. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Picasa Media Detector]
06/16/2007 01:15 AM 366400 --a--c--- C:\Program Files\Picasa2\PicasaMediaD etector.ex e
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ RemoteCont rol]
02/07/2007 04:24 PM 71216 --------- C:\Program Files\PowerDVD\PDVDServ.ex e
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ StartCCC]
11/10/2006 12:35 PM 90112 --a------ C:\Program Files\ATI Technologies\ATI.ACE\Core- Static\CLI Start.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SunJavaUpd ateSched]
07/12/2007 03:00 AM 132496 --a--c--- C:\Program Files\Java\jre1.6.0_02\bin \jusched.e xe
R1 NaiAvTdi1;NaiAvTdi1;C:\WIN DOWS\syste m32\driver s\mvstdi5x .sys
R2 {95808DC4-FA4A-4c74-92FE-5 B863F82066 B};{95808D C4-FA4A-4c 74-92FE-5B 863F82066B };\??\C:\P rogram Files\PowerDVD\[u]0[/u]00. fcl
R3 PAC207;SoC PC-Camer@;C:\WINDOWS\syste m32\DRIVER S\pfc027.s ys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system3 2\DRIVERS\ ATITool.sy s
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);C:\WINDOWS\sys tem32\Driv ers\ezusb. sys
S2 EZUSBDEV;Cypress General Purpose USB Driver w/ Keil Monitor (ezusb2.sys);C:\WINDOWS\sy stem32\Dri vers\ezusb 2.sys
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32 \DRIVERS\s is163u.sys
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\{43 88d267-95b 1-11dc-8b6 c-0019e08f 9eb1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 07:24:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 12/05/2007 7:26:28 - machine was rebooted
.
--- E O F ---
since uploading didn't made it possible to see the hijackthis log ill upload it all here:
im adding with "attach code snippet"
ComboFix 07-12-02.6 - Burdinov 12/05/2007 7:17:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.
Running from: C:\Documents and Settings\Burdinov\Desktop\
Command switches used :: C:\Documents and Settings\Burdinov\Desktop\
* Created a new restore point
FILE
C:\WINDOWS\system32\aajasj
C:\WINDOWS\system32\ddcyw.
C:\WINDOWS\system32\gebbbb
.
((((((((((((((((((((((((((
.
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{091B6D
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{116E82
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{2C4A77
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{B01970
C:\WINDOWS\system32\aajasj
C:\WINDOWS\system32\ayadd.
C:\WINDOWS\system32\ayadd.
C:\WINDOWS\system32\ddaya.
C:\WINDOWS\system32\gebbbb
.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))
.
No new files created in this timespan
.
((((((((((((((((((((((((((
.
2007-12-01 22:22 --------- d-----w C:\Program Files\ICQ
2007-11-30 07:59 --------- d-----w C:\Documents and Settings\Burdinov\Applicat
2007-11-29 08:50 --------- d-----w C:\Program Files\DeMule2007
2007-11-26 22:55 --------- d-----w C:\Program Files\DOSBox-0.72
2007-11-26 12:53 --------- d-----w C:\Program Files\Ad-Aware 2007
2007-11-23 09:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Copy of POPWWPROFILES
2007-11-20 23:14 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
2007-11-20 23:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 18:00 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-11-18 17:59 --------- d-----w C:\Program Files\Comic Life 1.3.4
2007-11-11 09:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-11-10 11:04 --------- d-----w C:\Documents and Settings\Burdinov\Applicat
2007-11-05 16:56 --------- d-----w C:\Documents and Settings\Burdinov\Applicat
2007-11-05 15:00 --------- d-----w C:\Program Files\Ubisoft
2007-11-03 20:34 639,224 ----a-w C:\WINDOWS\system32\driver
2007-11-03 06:22 --------- d-----w C:\Program Files\BitLord
2007-11-03 00:54 --------- d-----w C:\Documents and Settings\Burdinov\Applicat
2007-10-30 12:11 --------- d--h--r C:\Documents and Settings\Burdinov\Applicat
2007-10-30 11:21 --------- d-----w C:\Program Files\RocketDock
2007-10-29 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-28 22:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-28 22:31 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-28 10:03 --------- d-----w C:\Program Files\ffdshow
2007-10-28 00:28 --------- d-----w C:\Program Files\MagicISO
2007-10-17 20:56 --------- d-----w C:\Documents and Settings\Burdinov\Applicat
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver
2007-10-17 07:10 --------- d-----w C:\Program Files\uTorrent
2007-10-16 20:52 --------- d-----w C:\Program Files\Skype
2007-10-16 20:52 --------- d-----w C:\Program Files\Common Files\Skype
2007-10-15 14:56 --------- d-----w C:\Program Files\Winamp
2007-10-15 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-14 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-10-14 09:21 --------- d-----w C:\Program Files\Last.fm
2007-10-10 15:19 --------- d-----w C:\Program Files\DVDlabPro2
2007-03-27 21:14 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
"RocketDock"="C:\Program Files\RocketDock\RocketDoc
[HKEY_LOCAL_MACHINE\SOFTWA
"ShStatEXE"="C:\Program Files\McAfee VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Prog
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-
[HKEY_CURRENT_USER\softwar
"NoRecentDocsMenu"= 1 (0x1)
[HKEY_LOCAL_MACHINE\softwa
path=C:\Documents and Settings\Burdinov\Start Menu\Programs\Startup\Adob
backup=C:\WINDOWS\pss\Adob
[HKEY_LOCAL_MACHINE\softwa
08/30/2007 01:19 PM 87392 --a------ C:\Program Files\Ad-Aware 2007\AAWTray.exe
[HKEY_LOCAL_MACHINE\softwa
10/10/2007 07:51 PM 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Common Files\InstallShield\Update
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Common Files\InstallShield\Update
[HKEY_LOCAL_MACHINE\softwa
02/07/2007 04:21 PM 54832 --a------ C:\Program Files\PowerDVD\Language\La
[HKEY_LOCAL_MACHINE\softwa
10/14/2003 06:36 PM 38984 --a--c--- C:\PROGRA~1\ICQ\ICQNet.exe
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\MSN Messenger\msnmsgr.exe /background
[HKEY_LOCAL_MACHINE\softwa
07/09/2001 10:50 AM 155648 --a------ C:\WINDOWS\system32\NeroCh
[HKEY_LOCAL_MACHINE\softwa
10/07/2003 09:48 AM 147514 --a------ C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
[HKEY_LOCAL_MACHINE\softwa
06/16/2007 01:15 AM 366400 --a--c--- C:\Program Files\Picasa2\PicasaMediaD
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\softwa
02/07/2007 04:24 PM 71216 --------- C:\Program Files\PowerDVD\PDVDServ.ex
[HKEY_LOCAL_MACHINE\softwa
11/10/2006 12:35 PM 90112 --a------ C:\Program Files\ATI Technologies\ATI.ACE\Core-
[HKEY_LOCAL_MACHINE\softwa
07/12/2007 03:00 AM 132496 --a--c--- C:\Program Files\Java\jre1.6.0_02\bin
R1 NaiAvTdi1;NaiAvTdi1;C:\WIN
R2 {95808DC4-FA4A-4c74-92FE-5
R3 PAC207;SoC PC-Camer@;C:\WINDOWS\syste
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system3
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);C:\WINDOWS\sys
S2 EZUSBDEV;Cypress General Purpose USB Driver w/ Keil Monitor (ezusb2.sys);C:\WINDOWS\sy
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
**************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 07:24:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 12/05/2007 7:26:28 - machine was rebooted
.
--- E O F ---
since uploading didn't made it possible to see the hijackthis log ill upload it all here:
im adding with "attach code snippet"
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:30:58, on 05/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee VirusScan\SHSTAT.EXE
C:\Program Files\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\McAfee VirusScan\Mcshield.exe
C:\Program Files\McAfee VirusScan\VsTskMgr.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174239232889
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\VsTskMgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
--
End of file - 5489 bytes
Looks better...how is it running? Watch out when using the torrents and P2P, it's where many people get infected and if I had to guess that's how you did too here.
Good luck,
Dave
Good luck,
Dave
I see a few things I would suggest looking into these. A few bad Rootkits out lately have been known to modify the tcpip.sys file, and since yours is from October I would be curious... (might have just been a MS KB update though...)
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver s\TCPIP.SY S.ORIGINAL
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver s\TCPIP.SY S
Verify this is from Daemon Tools
2007-11-03 20:34 639,224 ----a-w C:\WINDOWS\system32\driver s\sptd.sys
Might try opening this in notepad, and see if you can identify it that way...
2007-11-20 23:14 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
Other than that, looks good....
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\driver
Verify this is from Daemon Tools
2007-11-03 20:34 639,224 ----a-w C:\WINDOWS\system32\driver
Might try opening this in notepad, and see if you can identify it that way...
2007-11-20 23:14 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
Other than that, looks good....
ASKER
C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
is empty aside from two square chars.
C:\WINDOWS\system32\driver s\sptd.sys
might be associated with Alcohol 120% which is Daemon tools equivalent.
UPDATE:
now after all this cleaning explorer.exe is still in his 50+ MB.
Also McAfee has detected Vundo in svchost.exe now...
this is spreading...
is empty aside from two square chars.
C:\WINDOWS\system32\driver
might be associated with Alcohol 120% which is Daemon tools equivalent.
UPDATE:
now after all this cleaning explorer.exe is still in his 50+ MB.
Also McAfee has detected Vundo in svchost.exe now...
this is spreading...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, here's the results:
the rootkit log is in the code snippet.
I'v tried Sophos and he didn't detect anything. SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out. mcafee didnt post more infections for this few hours but I suspect the trojan is still in the system because of the bloated explorer.exe.
the main two CPU threads in explorer.exe by Process Explorer are posted here
ntoskrnl.exe!ExReleaseReso urceLite+0 x206
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerform anceCounte r+0x5af
ntoskrnl.exe!ZwYieldExecut ion+0xb78
ntdll.dll!KiFastSystemCall Ret
stobject.dll+0x1513
stobject.dll!DllCanUnloadN ow+0x1fa4
kernel32.dll!GetModuleFile NameA+0x1b 4
-------------------------- ---------- ---------- ---------- ---------- ---------- ---
ntoskrnl.exe!ExReleaseReso urceLite+0 x206
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerform anceCounte r+0x5af
ntoskrnl.exe!ZwYieldExecut ion+0xb78
ntdll.dll!KiFastSystemCall Ret
stobject.dll+0x1513
stobject.dll!DllCanUnloadN ow+0x1fa4
kernel32.dll!GetModuleFile NameA+0x1b 4
-------------------------- ---------- ---------- ---------- ---------- ---------- -----
I can't make anything of this so good luck :-)
the rootkit log is in the code snippet.
I'v tried Sophos and he didn't detect anything. SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out. mcafee didnt post more infections for this few hours but I suspect the trojan is still in the system because of the bloated explorer.exe.
the main two CPU threads in explorer.exe by Process Explorer are posted here
ntoskrnl.exe!ExReleaseReso
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerform
ntoskrnl.exe!ZwYieldExecut
ntdll.dll!KiFastSystemCall
stobject.dll+0x1513
stobject.dll!DllCanUnloadN
kernel32.dll!GetModuleFile
--------------------------
ntoskrnl.exe!ExReleaseReso
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerform
ntoskrnl.exe!ZwYieldExecut
ntdll.dll!KiFastSystemCall
stobject.dll+0x1513
stobject.dll!DllCanUnloadN
kernel32.dll!GetModuleFile
--------------------------
I can't make anything of this so good luck :-)
HKU\.DEFAULT\Control Panel\International 12/5/2007 7:26 AM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 12/5/2007 7:26 AM 0 bytes Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International 12/5/2007 7:26 AM 0 bytes Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International\Geo 12/5/2007 7:26 AM 0 bytes Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 10/30/2007 2:11 PM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International 12/5/2007 7:26 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 12/5/2007 7:26 AM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 3/18/2007 7:01 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/18/2007 7:01 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Adobe\SubInstall\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\SubProductList 10/29/2007 12:32 AM 37 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 3/23/2007 8:50 AM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 3/23/2007 8:52 AM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned 12/5/2007 8:39 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned 12/5/2007 8:39 PM 102 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 11/3/2007 10:29 PM 0 bytes Access is denied.
ASKER
correction: the first thread in Explorer.exe is this one (I accidently posted two same threads in the message above):
ntoskrnl.exe!ExReleaseReso urceLite+0 x206
win32k.sys+0x2f70
win32k.sys+0x3776
win32k.sys+0x3793
ntdll.dll!KiFastSystemCall Ret
Explorer.EXE+0xff89
SHLWAPI.dll!Ordinal505+0x3 e9
kernel32.dll!GetModuleFile NameA+0x1b 4
ntoskrnl.exe!ExReleaseReso
win32k.sys+0x2f70
win32k.sys+0x3776
win32k.sys+0x3793
ntdll.dll!KiFastSystemCall
Explorer.EXE+0xff89
SHLWAPI.dll!Ordinal505+0x3
kernel32.dll!GetModuleFile
>""SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out.""<
Where was it found? Could be in restore points or one of the quarantine folders like combofix's qoobox.
I would recommend you do this.
Click START then Run...
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Where was it found? Could be in restore points or one of the quarantine folders like combofix's qoobox.
I would recommend you do this.
Click START then Run...
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
ASKER
No, they were in the C:\windows\system32 folder
I uninstalled combofix.
now windows runs fine by my opinion and McAfee isn't shooting warrnings but the explorer.exe is still big. it might not be the problem but as a last resort: is it advisable to kill the explorer process, delete the file and copy an alternative explorer.exe from a friend?
I uninstalled combofix.
now windows runs fine by my opinion and McAfee isn't shooting warrnings but the explorer.exe is still big. it might not be the problem but as a last resort: is it advisable to kill the explorer process, delete the file and copy an alternative explorer.exe from a friend?
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a HijackThis log (see below).
Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
If you are having problems uploading it you can use the "Attach Code Snippet"
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.
NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
--------------------------
Also post a HijackThis log so we can see what is going on.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php