Tech Support Forum - View Single Post

Cleffer · 10-02-2007, 09:52 AM

Certainly! Was the .sys file the root of the infection or the S3 entry .exe file? All scans would be clean and then reinstall after a reboot. Typical Malware behavior, but strange not to be able to find the root of the infection even with a Hijack This and a rootkit scan.

I've cold booted and Symantec is not hitting on it at all any more. All subsequent scans have been clean.

Thanks for your attention. :)

Here's the log from last night:

ComboFix 07-10-02.2 - Administrator 2007-10-01 21:18:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT -5:00]
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\smsmith\Application Data\Hotbar
C:\Documents and Settings\smsmith\Application Data\SpamBlocker
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\ssttu.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-01 21:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 17:01 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\HotSync
2007-10-01 17:00 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\Real
2007-10-01 15:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HotSync
2007-09-26 09:26 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-26 07:49 296,244 --a------ C:\WINDOWS\system32\ddcya.dll
2007-09-25 18:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-25 18:13 <DIR> d-------- C:\VundoFix Backups
2007-09-25 18:07 296,436 --a------ C:\WINDOWS\system32\awtqq.dll
2007-09-25 18:03 <DIR> d-------- C:\WINDOWS\pss
2007-09-25 17:21 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\HotSync
2007-09-25 17:14 <DIR> dr-h----- C:\Documents and Settings\smsmith\Application Data\Andersson Digital Design
2007-09-25 17:14 <DIR> d--hs---- C:\Documents and Settings\smsmith\UserData
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\SecurityScans
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Contacts
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\XnView
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Sonic
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Share-to-Web Upload Folder
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Real
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Raptisoft
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Media Player Classic
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Leadertech
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Lavasoft
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterVideo
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterTrust
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Help
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Google
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Ethereal
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Apple Computer
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\APC
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeUM
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeAUM
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\ActiveState
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\.gaim
2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\.lincity
2007-09-25 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-25 13:56 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-25 13:35 296,804 --a------ C:\WINDOWS\system32\geedd.dll
2007-09-25 13:14 <DIR> d-------- C:\WINDOWS\system32\vMW10a
2007-09-25 13:14 <DIR> d-------- C:\TEMP\xOe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 21:23 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-09-28 18:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Retrospect
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 19:49]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 17:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-06-02 09:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-09 08:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 20:38]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2006-12-20 13:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32]

C:\Documents and Settings\smsmith\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-04-09 18:30:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F884BE4E-64D5-43FE-80A4-DB8D63C748F0}"= C:\WINDOWS\system32\hggfcyw.dll [ ]

R1 EAWDMFD;EAWDMFD;C:\WINDOWS\system32\drivers\EAWDMFD.sys
R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\System32\drivers\cpqdfw.sys
R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\System32\drivers\cq_mem.sys
R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\System32\drivers\cqcpu.sys
R2 DfwWebAgent;Remote Diagnostics Enabling Agent;C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K);C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys
S3 EGXHXEFWZF;EGXHXEFWZF;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EGXHXEFWZF.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 21:24:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 21:25:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 21:25
.
--- E O F ---

10-02-2007, 09:52 AM	#5 (permalink)
Cleffer Registered User Join Date: Dec 2004 Location: Mid-West Posts: 180 OS: 2003/XP/Vista	Re: Need a binary shotgun for Trojan.Vundo Certainly! Was the .sys file the root of the infection or the S3 entry .exe file? All scans would be clean and then reinstall after a reboot. Typical Malware behavior, but strange not to be able to find the root of the infection even with a Hijack This and a rootkit scan. I've cold booted and Symantec is not hitting on it at all any more. All subsequent scans have been clean. Thanks for your attention. :) Here's the log from last night: ComboFix 07-10-02.2 - Administrator 2007-10-01 21:18:39.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT -5:00] Running from: E:\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\smsmith\Application Data\Hotbar C:\Documents and Settings\smsmith\Application Data\SpamBlocker C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\ssttu.dll . ((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 ))))))))))))))))))))))))))))))) . 2007-10-01 21:17 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-01 17:01 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\HotSync 2007-10-01 17:00 <DIR> d-------- C:\Documents and Settings\engineeradmin\Application Data\Real 2007-10-01 15:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HotSync 2007-09-26 09:26 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys 2007-09-26 07:49 296,244 --a------ C:\WINDOWS\system32\ddcya.dll 2007-09-25 18:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe 2007-09-25 18:13 <DIR> d-------- C:\VundoFix Backups 2007-09-25 18:07 296,436 --a------ C:\WINDOWS\system32\awtqq.dll 2007-09-25 18:03 <DIR> d-------- C:\WINDOWS\pss 2007-09-25 17:21 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\HotSync 2007-09-25 17:14 <DIR> dr-h----- C:\Documents and Settings\smsmith\Application Data\Andersson Digital Design 2007-09-25 17:14 <DIR> d--hs---- C:\Documents and Settings\smsmith\UserData 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\SecurityScans 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Contacts 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\XnView 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Sonic 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Share-to-Web Upload Folder 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Real 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Raptisoft 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Media Player Classic 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Leadertech 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Lavasoft 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterVideo 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\InterTrust 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Help 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Google 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Ethereal 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\Apple Computer 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\APC 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeUM 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\AdobeAUM 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\ActiveState 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\Application Data\.gaim 2007-09-25 17:14 <DIR> d-------- C:\Documents and Settings\smsmith\.lincity 2007-09-25 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-09-25 13:56 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-09-25 13:35 296,804 --a------ C:\WINDOWS\system32\geedd.dll 2007-09-25 13:14 <DIR> d-------- C:\WINDOWS\system32\vMW10a 2007-09-25 13:14 <DIR> d-------- C:\TEMP\xOe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-01 21:23 --------- d-------- C:\Program Files\Symantec AntiVirus 2007-09-28 18:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Retrospect . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 19:49] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37] "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34] "SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24] "CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 17:01] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-06-02 09:47] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-09 08:10] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 20:38] "vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2006-12-20 13:29] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32] C:\Documents and Settings\smsmith\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2006-04-09 18:30:45] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 15:16:08] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{F884BE4E-64D5-43FE-80A4-DB8D63C748F0}"= C:\WINDOWS\system32\hggfcyw.dll [ ] R1 EAWDMFD;EAWDMFD;C:\WINDOWS\system32\drivers\EAWDMFD.sys R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\System32\drivers\cpqdfw.sys R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\System32\drivers\cq_mem.sys R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\System32\drivers\cqcpu.sys R2 DfwWebAgent;Remote Diagnostics Enabling Agent;C:\WINDOWS\Cpqdiag\Cpqdfwag.exe R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K);C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys S3 EGXHXEFWZF;EGXHXEFWZF;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EGXHXEFWZF.exe . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-01 21:24:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-10-01 21:25:52 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-01 21:25 . --- E O F --- Last edited by Cleffer; 10-02-2007 at 09:54 AM.