Check this out real quick...

c0rr0sive · 10-09-2009, 07:08 PM

Here is a bit of history... Installed sp3 and such on my computer, after a fresh reformat... Installed AVG, Malwarebytes, Adaware 2009, and so on as normal...

Went to a site that shall remain nameless, and for the first time ever visiting said site, I ended up with a infection... I have pinpointed it to be a form of a Vundo infection...

Here is the kicker... After following osiris guide and doing SEVERAL things that I normaly would, I still, have an infection of some form, and it keeps reapearing..

So, someone else, check my hijackthis log and let me know if they see anything wrong...

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:42 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Scotts Computer Repair
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [StealthBot Launcher v1.2] "C:\Program Files\StealthBot 2.7\Launcher.exe" -LaunchProfile "Charles R. Scott"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1255042617599
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5034 bytes

Osiris · 10-09-2009, 07:23 PM

Can I see the combofix and malwarebytes log?

c0rr0sive · 10-09-2009, 07:37 PM

Here is the combofix log that I just got done with, malwarebytes... Yeah, that will take me another hour, again...

I have also ran SDFix, and it appears that SDFix contains the same things that combofix does....

Quote:

ComboFix 09-10-08.04 - Charles R. Scott 10/09/2009 19:20.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1638 [GMT -4:00]
Running from: c:\documents and settings\Charles R. Scott\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-372580491-4117983620-1091125174-1000

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ISASDK

((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-09 23:03 . 2009-10-09 23:03 -------- d-----w- c:\program files\Trend Micro
2009-10-09 23:02 . 2009-10-09 23:02 -------- d-sh--w- c:\documents and settings\Charles R. Scott\PrivacIE
2009-10-09 22:41 . 2009-10-09 22:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-09 22:33 . 2009-10-09 22:33 -------- d-sh--w- c:\documents and settings\Charles R. Scott\IETldCache
2009-10-09 22:22 . 2009-10-09 22:23 -------- dc-h--w- c:\windows\ie8
2009-10-09 22:01 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-09 22:01 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-09 22:00 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-10-09 22:00 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-09 22:00 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-09 22:00 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-09 22:00 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-09 21:59 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-09 21:59 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-10-09 21:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-09 21:58 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-09 21:56 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-09 21:56 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-09 21:56 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-10-09 21:56 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-10-09 05:20 . 2009-10-09 05:20 -------- d-----w- c:\program files\Synaptics
2009-10-09 05:20 . 2007-04-27 20:34 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-10-09 05:20 . 2007-04-27 19:49 143360 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-10-09 05:20 . 2007-04-27 19:42 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-10-09 05:20 . 2007-04-27 19:42 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-10-09 05:20 . 2007-04-27 19:37 202912 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-10-09 05:20 . 2009-10-09 05:20 -------- d-----w- c:\program files\CONEXANT
2009-10-09 05:18 . 2007-05-06 21:10 405504 ----a-w- c:\windows\stsystra.exe
2009-10-09 05:17 . 2009-10-09 05:17 -------- d-----w- c:\windows\system32\vmm32
2009-10-09 05:17 . 2009-10-09 05:17 -------- d-----w- c:\program files\Dell
2009-10-09 05:16 . 2009-10-09 06:02 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\vlc
2009-10-09 05:12 . 2009-10-09 05:12 2285056 ----a-w- c:\windows\system32\TUKernel.exe
2009-10-09 04:51 . 2008-09-10 01:14 1307648 -c----w- c:\windows\system32\dllcache\msxml6.dll
2009-10-09 04:51 . 2008-04-14 02:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2009-10-09 04:51 . 2007-06-26 15:30 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2009-10-09 04:51 . 2007-06-26 15:26 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-10-09 04:43 . 2009-10-09 04:43 -------- d-----w- c:\windows\ServicePackFiles
2009-10-09 04:42 . 2008-04-14 09:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-10-09 04:26 . 2008-06-12 13:46 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2009-10-09 04:26 . 2008-06-12 13:46 20992 ----a-w- c:\windows\system32\vncmirror.dll
2009-10-09 04:26 . 2009-10-09 04:26 -------- d-----w- c:\program files\RealVNC
2009-10-09 04:01 . 2009-10-09 04:01 -------- d-----w- c:\program files\VideoLAN
2009-10-09 04:00 . 2003-06-18 21:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2009-10-09 04:00 . 2009-10-09 04:00 -------- d-----w- c:\program files\Microsoft.NET
2009-10-09 04:00 . 2009-10-09 04:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-09 04:00 . 2009-10-09 04:00 -------- d-----w- c:\windows\SHELLNEW
2009-10-09 03:58 . 2009-10-09 03:58 -------- d-----r- C:\MSOCache
2009-10-09 03:54 . 2009-10-09 03:55 -------- d-----w- c:\program files\WinISD
2009-10-09 03:31 . 2009-10-09 03:31 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-09 03:31 . 2008-12-11 17:31 27904 ----a-w- c:\windows\system32\uxtuneup.dll
2009-10-09 03:31 . 2009-10-09 03:31 360192 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-09 03:31 . 2009-10-09 03:31 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\TuneUp Software
2009-10-09 03:30 . 2009-10-09 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-10-09 03:30 . 2009-10-09 03:30 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-10-09 03:30 . 2009-10-09 03:30 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-10-09 03:06 . 2009-10-09 03:06 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\Malwarebytes
2009-10-09 02:30 . 2009-10-09 02:30 12328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 02:22 . 2009-10-09 02:22 -------- d-----w- c:\windows\ERUNT
2009-10-09 02:17 . 2007-02-16 09:05 14464 ----a-w- c:\windows\system32\drivers\fanio.sys
2009-10-09 02:17 . 2009-10-09 02:17 -------- d-----w- c:\program files\I8kfanGUI
2009-10-09 02:13 . 2009-10-09 02:13 -------- d-----w- C:\VundoFix Backups
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-09 01:40 . 2009-10-09 03:49 -------- d-----w- C:\SDFix
2009-10-09 01:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 01:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 01:40 . 2009-10-09 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\program files\Lavasoft
2009-10-09 01:39 . 2009-10-09 01:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-09 01:28 . 2009-10-09 01:28 -------- d-----w- C:\$AVG8.VAULT$
2009-10-09 00:33 . 2009-10-09 00:33 -------- d-----w- c:\windows\system32\LogFiles
2009-10-08 23:14 . 2009-10-08 23:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-08 23:14 . 2009-10-08 23:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-08 23:14 . 2009-10-08 23:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-08 23:14 . 2009-10-08 23:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-08 23:14 . 2009-10-09 21:58 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-08 23:14 . 2009-10-08 23:14 -------- d-----w- c:\program files\AVG
2009-10-08 23:14 . 2009-10-08 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-08 23:13 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-08 22:58 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-10-08 22:56 . 2009-10-08 22:56 -------- d-s---w- c:\documents and settings\Charles R. Scott\UserData
2009-10-08 22:32 . 2009-10-08 22:32 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\StealthBot
2009-10-08 22:32 . 2009-10-09 04:07 -------- d-----w- c:\program files\StealthBot 2.7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-09 05:20 . 2009-10-09 05:18 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-09 05:18 . 2009-10-09 05:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 05:18 . 2009-10-09 05:18 -------- d-----w- c:\program files\SigmaTel
2009-10-09 04:10 . 2009-10-08 18:32 17456 ----a-w- c:\documents and settings\Charles R. Scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 18:32 . 2009-10-08 14:04 56860 ----a-w- c:\windows\system32\nvModes.dat
2009-10-08 18:13 . 2009-10-08 18:13 -------- d-----w- c:\program files\microsoft frontpage
2009-10-08 18:09 . 2009-10-08 18:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-12 06:09 . 2009-09-12 06:09 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-09-12 06:09 . 2009-09-12 06:09 150528 ----a-w- c:\windows\system32\TLBINF32.DLL
2009-08-05 09:01 . 2006-02-28 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2006-02-28 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2006-02-28 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2006-02-28 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2006-02-28 11:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
"StealthBot Launcher v1.2"="c:\program files\StealthBot 2.7\Launcher.exe" [2009-10-07 37896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-05-12 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-08 2023704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-05-12 67584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-05-06 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-08 23:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/8/2009 7:14 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/8/2009 7:14 PM 108552]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [10/8/2009 10:17 PM 14464]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/8/2009 7:14 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/8/2009 7:14 PM 297752]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [10/8/2009 11:31 PM 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 01:36]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - e:\antivirus and tech tools\HijackThis.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-09 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2272)
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
************************************************** ************************
.
Completion time: 2009-10-09 19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-09 23:30

Pre-Run: 12,764,176,384 bytes free
Post-Run: 12,689,469,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=WRAV7G /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=WRAV7G-BAK

218

c0rr0sive · 10-09-2009, 07:41 PM

Here is the malwarebytes scans... I have performed multiple scans one under both the admin and my main account...

Quote:

Malwarebytes' Anti-Malware 1.41
Database version: 2933
Windows 5.1.2600 Service Pack 3

10/9/2009 7:13:53 PM
mbam-log-2009-10-09 (19-13-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122809
Time elapsed: 37 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6 to4 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6 to4 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\6to4 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\isasdk (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\isasdk.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\minix32.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Osiris · 10-09-2009, 07:50 PM

So after running those 2 programs, is the infection still there?

c0rr0sive · 10-09-2009, 07:52 PM

After a few restarts, if I run Malwarebytes, AVG complains about an infection, and malwarebytes also picks up, I have turned restore points off, and wiped out my temp files/recycle bin each and every time... I have also disabled all addons for IE8...

Osiris · 10-09-2009, 08:01 PM

Run this

VundoFix by Atribune

c0rr0sive · 10-09-2009, 08:07 PM

I ran that last night, and it said it removed the infection... I guess I will run it again, looks like I didn't have the latest version of it though...

Osiris · 10-10-2009, 01:00 AM

Any results?

c0rr0sive · 10-10-2009, 06:55 PM

Vundo fix found nothing, but while I was browsing some startup items in the windows services I found a service trying to imitate punkbuster, which I don't have any games on this computer, yet alone punkbuster, disabled the service while under safemode and ran malwarebytes along with sdfiix and I no longer get anything...

But the reasoning behind why I asked for your input is because Malwarebytes would show vundo after a few restarts... And sorry for the long responce, I don't have internet at home and have to travel to town to get online.

Issue is now resolved, thanks for the help.

Member Login