Thread: Another Vundo victim
View Single Post
Old 10-16-2005, 08:13 PM   #1 (permalink)
B.S.Blues
I helped the forums.
 
Join Date: Oct 2005
Posts: 18
OS: XP


Another Vundo victim
I've followed the steps you recommended before posting a Hijack This! Analyzer log, and I'm hoping you can use the log analysis below to help me get rid of Trojan.Vundo.
I've tried the Symantec FixVundo tool but it doesn't seem to pick the trojan up on my system. And I've only been able to go so far by trying to use VundoFix by way of the procedures you've outlined for other Tech Support Forum clients. It seems to me that each case has its own unique filepaths that have to be addressed.
Can you help me?
Thanks in advance.


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:46:19 PM, on 16/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\MDG\MDGnotify.exe
C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: g.mysearch.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .whenu.com
O1 - Hosts: .whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: c.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: om
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: .com
O1 - Hosts: rtoolbar.com
O1 - Hosts: sertoolbar.com
O1 - Hosts: owsertoolbar.com
O1 - Hosts: 127.0
O1 - Hosts: 2.browsertoolbar.com
O1 - Hosts: ww2.browsertoolbar.com
O1 - Hosts: .www2.browsertoolbar.com
O1 - Hosts: 127.0.0.
O1 - Hosts: ww.www2.browsertoolbar.com
O1 - Hosts: 127.0.0.
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\Peter\LOCALS~1\Temp\itnarc.dat (file missing)
O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - (no file)
O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\WINDOWS\TEMP\bewsa.dat
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\ipattnof.dat (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\WINDOWS\TEMP\bacrc.dat
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [*wavedvd] C:\WINDOWS\Tasks\wavedvd.exe
O4 - HKLM\..\Run: [*mp3] C:\WINDOWS\system\mp3.exe
O4 - HKLM\..\Run: [*regtcp] C:\WINDOWS\Web\regtcp.exe
O4 - HKLM\..\Run: [*uninet] C:\WINDOWS\msagent\uninet.exe
O4 - HKLM\..\Run: [*adnet] C:\WINDOWS\java\classes\adnet.exe
O4 - HKLM\..\Run: [*kbdisk] C:\WINDOWS\ServicePackFiles\kbdisk.exe
O4 - HKLM\..\Run: [*ipacc] C:\WINDOWS\ServicePackFiles\ipacc.exe
O4 - HKLM\..\Run: [*vssexp] C:\WINDOWS\msagent\chars\vssexp.exe
O4 - HKLM\..\Run: [*webjpeg] C:\WINDOWS\repair\webjpeg.exe
O4 - HKLM\..\Run: [*dvdimg] C:\WINDOWS\Fonts\dvdimg.exe
O4 - HKLM\..\Run: [*cmdras] C:\WINDOWS\system\cmdras.exe
O4 - HKLM\..\Run: [*vssvb] C:\WINDOWS\vssvb.exe
O4 - HKLM\..\Run: [*faxav] C:\WINDOWS\Tasks\faxav.exe
O4 - HKLM\..\Run: [*vssdrv] C:\WINDOWS\addins\vssdrv.exe
O4 - HKLM\..\Run: [*netplay] C:\WINDOWS\system\netplay.exe
O4 - HKLM\..\Run: [*antilib] C:\WINDOWS\Fonts\antilib.exe
O4 - HKLM\..\Run: [*fonttcp] C:\WINDOWS\system\fonttcp.exe
O4 - HKLM\..\Run: [*accdll] C:\WINDOWS\Driver Cache\accdll.exe
O4 - HKLM\..\Run: [*wmsad] C:\WINDOWS\ServicePackFiles\wmsad.exe
O4 - HKLM\..\Run: [*abrbin] C:\WINDOWS\repair\abrbin.exe
O4 - HKLM\..\Run: [*eulainet] C:\WINDOWS\addins\eulainet.exe
O4 - HKLM\..\Run: [*accodbc] C:\WINDOWS\Web\accodbc.exe
O4 - HKLM\..\Run: [*logwave] C:\WINDOWS\msagent\chars\logwave.exe
O4 - HKLM\..\Run: [*dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe
O4 - HKLM\..\Run: [*eulacr] C:\WINDOWS\Config\eulacr.exe
O4 - HKLM\..\Run: [*vbacc] C:\WINDOWS\java\classes\vbacc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O20 - Winlogon Notify: ipcmd - C:\DOCUME~1\Peter\LOCALS~1\Temp\dmcpi.dat (file missing)
O20 - Winlogon Notify: playtapi - C:\DOCUME~1\Peter\LOCALS~1\Temp\ipatyalp.dat (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe


End of KRC HijackThis Analyzer Log.
====================================================================
B.S.Blues is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here