Thread: Recurring Vundo Trojan
View Single Post
Old 07-05-2009, 01:08 PM   #4 (permalink)
Kirashio
Registered User
 
Join Date: Jul 2009
Posts: 14
OS: xp


Re: Recurring Vundo Trojan
I have completed the scan, the log file is as follows.

ComboFix 09-07-04.09 - User 05/07/2009 19:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.447.223 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1333272000
c:\recycler\S-1-5-21-3290155749-1650567868-3821821243-1003
c:\windows\Installer\WinRMSrv.msi
c:\windows\system32\drivers\kjcfdgdu.sys
c:\windows\system32\drivers\ypdsgotl.sys
c:\windows\system32\kaksldwx.dll
c:\windows\system32\liwoduki.exe
c:\windows\system32\qekyfdu.dll
c:\windows\system32\sllstwo.dll
c:\windows\Tasks\At1.job
c:\windows\system32\drivers\8d89dc49.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ypdsgotl
-------\Service_ypdsgotl
-------\Service_8d89dc49


((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-06-30 22:20 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-30 22:20 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 22:58 . 2009-06-29 23:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 18:56 . 2009-04-28 22:02 109308 ----a-w- c:\windows\system32\drivers\8d89dc49.sys
2009-07-05 18:06 . 2008-08-10 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 22:05 . 2006-01-10 19:54 -------- d-----w- c:\program files\Guild Wars
2009-07-02 22:03 . 2005-11-25 09:17 -------- d-----w- c:\program files\CyberLink
2009-07-02 22:03 . 2005-11-25 09:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 19:44 . 2006-07-19 19:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-02 19:41 . 2006-07-19 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-01 18:56 . 2006-11-16 18:47 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-06-29 23:01 . 2006-07-19 19:44 -------- d-----w- c:\program files\SpywareBlaster
2009-05-14 22:37 . 2006-01-10 19:28 38552 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 16:04 . 2009-04-29 16:04 2098 --sh--w- c:\windows\system32\besegopa.exe
2007-09-22 17:03 . 2007-09-22 17:03 3099663 ----a-w- c:\program files\uos-security-check_0015f2013aa2_1190480531.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-25 98304]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 136600]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-03 180269]
"WireLessMouse "="c:\program files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 503808]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2004-07-01 80896]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-10-10 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"atwtusb"="atwtusb.exe" - c:\windows\system32\atwtusb.exe [2005-03-09 290816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dll32"="dll32" [X]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-12 1073152]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-1-12 118784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:UDP"= 6112:UDP:dow6112
"6500:UDP"= 6500:UDP:dow6500
"27900:UDP"= 27900:UDP:dow27900
"27901:UDP"= 27901:UDP:dow27901
"28910:TCP"= 28910:TCP:dow28910
"29900:TCP"= 29900:TCP:dow29900
"29901:TCP"= 29901:TCP:dow29901
"29910:UDP"= 29910:UDP:dow29910
"29920:TCP"= 29920:TCP:dow29920

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [04/04/2009 00:44 55152]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\tnet1130.sys [10/01/2006 20:03 385536]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [10/01/2006 19:44 22272]
S3 cpuz;cpuz;\??\e:\cpuz.sys --> e:\cpuz.sys [?]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 13:29 162176]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [16/11/2006 19:54 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [16/11/2006 19:54 85696]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 17:44 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 17:44 51840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - YPDSGOTL
*Deregistered* - ypdsgotl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lyxulsbp
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 22:43]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {51AE91DF-5F11-4628-9904-A77489B7A8CF} = 192.168.0.1
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dnmkxgqc.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 19:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8d89dc49]
"ImagePath"="\SystemRoot\System32\drivers\8d89dc49.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-732552938-1092693543-720440500-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ec,16,b4,c0,b6,ee,4e,2e,4a,e0,68,14,b3,dd,c0,e0,ec,21,a9,95,36,83,65,
76,16,1a,00,03,f2,cb,96,c1,53,18,44,16,41,eb,a0,99,e6,62,15,59,1d,5d,a9,7b,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95

[HKEY_USERS\s-1-5-21-732552938-1092693543-720440500-1006\Software\SecuROM\License information*]
"datasecu"=hex:9a,d5,f3,33,92,e0,11,05,3f,cd,36,e6,a1,82,37,fa,06,63,c9,77,aa,
cd,24,dc,44,2f,cb,5b,a5,ad,6c,e2,94,e7,24,0f,c9,c8,fd,2b,6d,8f,06,b7,56,ee,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\PAStiSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-07-05 20:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 19:02

Pre-Run: 130,620,329,984 bytes free
Post-Run: 131,146,383,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
217 --- E O F --- 2009-04-20 02:10



I dont know if it matters seen as the log file was created anyway, but after combofix restarted my computer when the window was displaying that a log file was being generated and instructed me not to run any programs, a number of programs that load on startup such as McAfee (which I'd disabled before the scan/restart) loaded themselves, I just wanted to be sure that this couldn't influence the results. Thanks for your time.
Kirashio is offline