Thread: Infected with Trojan Vundo, iifdcAtT.dll, pop-ups, etc.
View Single Post
Old 12-05-2008, 09:15 PM   #5 (permalink)
TheyGotMe
Registered User
 
Join Date: Dec 2008
Posts: 4
OS: xp sp3


Re: Infected with Trojan Vundo, iifdcAtT.dll, pop-ups, etc.
Things are looking much better now, thanks. The pop-ups have stopped, and my computer is operating as it should as far as I can tell.

I mentioned this above: "I also found under Control Panel>Add/Remove Programs an entry for something called "Advertisement Service". When I clicked on Change/Remove I got "An error occurred while trying to remove...etc.", I suppose because there's no uninstaller." Should I go ahead and delete it from the Add/Remove Programs list?

Here are the ComboFix and Kaspersky logs you requested:

ComboFix 08-12-05.02 - Simon 2008-12-05 21:46:11.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1091 [GMT -5:00]
Running from: c:\documents and settings\Simon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Simon\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\yayaYoPJ.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-03 15:31 . 2008-12-03 15:31 250 --a------ c:\windows\gmer.ini
2008-12-03 15:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-03 15:10 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-03 14:37 . 2008-12-03 19:05 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-03 14:36 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-12-03 13:07 . 2008-12-03 13:07 <DIR> d-------- c:\windows\Sun
2008-12-03 13:07 . 2008-12-03 13:06 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 13:07 . 2008-12-03 13:06 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-03 13:06 . 2008-12-03 13:06 <DIR> d-------- c:\program files\Java
2008-12-03 11:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-22 20:10 . 2008-11-22 20:10 <DIR> d-------- c:\program files\iPod
2008-11-22 20:10 . 2008-11-22 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-18 14:46 . 2008-12-05 20:37 0 --a------ c:\windows\system32\drivers\lvuvc.hs
2008-11-18 14:22 . 2008-11-18 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-11-18 14:22 . 2008-11-18 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logishrd
2008-11-18 14:17 . 2008-11-18 14:22 <DIR> d-------- c:\program files\Common Files\logishrd
2008-11-18 14:04 . 2008-12-05 20:37 0 --a------ c:\windows\system32\drivers\logiflt.iad
2008-11-18 13:53 . 2008-04-13 14:39 5,504 --a------ c:\windows\system32\drivers\MSTEE.sys
2008-11-18 13:53 . 2008-04-13 14:39 5,504 --a--c--- c:\windows\system32\dllcache\mstee.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 01:09 --------- d-----w c:\documents and settings\Simon\Application Data\Skype
2008-10-31 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-29 22:37 --------- d-----w c:\documents and settings\Simon\Application Data\Line 6
2008-10-29 22:35 --------- d-----w c:\documents and settings\All Users\Application Data\Line 6
2008-10-24 22:29 530,560 ----a-w c:\windows\system32\drivers\L6POD.sys
2008-10-24 22:29 167,936 ----a-w c:\windows\system32\L6PODxt.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 22:14 --------- d-----w c:\program files\Bonjour
2008-10-14 22:13 --------- d-----w c:\program files\Common Files\Apple
2008-10-14 22:12 --------- d-----w c:\program files\Apple Software Update
2008-10-09 00:58 --------- d-----w c:\program files\Common Files\Native Instruments
2008-10-07 21:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-07 21:53 --------- d-----w c:\program files\M-Audio
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"TransBar"="c:\documents and settings\Simon\Local Settings\Application Data\AKSoftware\TransBar\TransBar.exe" [2005-06-01 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-30 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"DrvIcon"="e:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2007-01-25 154112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="e:\program files\QT Lite\qttask.exe" [2008-09-06 413696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="e:\program files\Logitech\Quickcam.exe" [2008-08-14 2407184]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"e:\\Program Files\\Wallpaper Tool\\WallPaper.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\Cakewalk\\SONAR 6 Producer Edition\\SONARPDR.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-18 97928]
R2 avg8emc;AVG8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [2008-07-02 875288]
R2 avg8wd;AVG8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-18 76040]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: *.line6.net

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 21:46:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-05 21:47:26
ComboFix-quarantined-files.txt 2008-12-06 02:47:19
ComboFix2.txt 2008-12-06 01:39:06

Pre-Run: 10,354,757,632 bytes free
Post-Run: 10,343,596,032 bytes free

123

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 05, 2008 19:45:58
Records in database: 1439220
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 70376
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:51:40

No malware has been detected. The scan area is clean.

The selected area was scanned.
TheyGotMe is offline