Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 StupidMonkey

StupidMonkey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 24 December 2008 - 12:05 PM

Hi! I have been having a number of problems with spyware from the beginning of the month. Having thought all was remedied, it seems that they just won't stop coming back. AVG is telling me I have Vundo trojans, Avast has picked up an awful lot too. Most are costantly mutating .dll files such as raramuge.dll etc etc. I am getting IE pop ups every so often (i use firefox) which are related to the searches i'm performing at the time. The startup manager tool in advanced windows care and xray specs is highlighting that these .dll files have been set to open on start-up and have infiltrated the registry. I seem to have cleaned up the registry but I need to be sure this is permanent as I keep finding more and more suspect files in the system32 folder.

As I'm new here I followed the instructions (well written i must say) and below is the requested log with attachment.


DDS (Version 1.1.0) - NTFSx86
Run by Khush Bakht at 16:58:13.01 on 24/12/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.356 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 081224-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IObit\Advanced WindowsCare V2\Awcl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Khush Bakht\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DKUK
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=Qalm6R4RLGuViowAoSMfCNkeT5c
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BearShare MediaBar
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\avgtoolbar.dll
BHO: N/A: {c7467455-c8ae-4fae-81d7-3fdc13853c4b} - c:\windows\system32\zohitiva.dll
TB: BearShare MediaBar: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - Apartment
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: AVG Security Toolbar: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\avgtoolbar.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Advanced WindowsCare V2 Personal] "c:\program files\iobit\advanced windowscare v2\Awcl.exe" /startup
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [babumeyovi] Rundll32.exe "c:\windows\system32\boravupi.dll",s
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\khushb~1\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\.security
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\wojigovu.dll
LSA: Notification Packages = scecli c:\windows\system32\wojigovu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\khushb~1\applic~1\mozilla\firefox\profiles\dypdbuxp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://portal.leeds.ac.uk
FF - prefs.js: keyword.URL - chrome://divx-partner/locale/partner.properties
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-26 111184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-10 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-10 26824]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-26 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-10-26 155160]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-10 231704]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2004-12-13 165488]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-1-12 13696]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-1-22 24652]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-1-12 13568]
R3 CPWUA6D;Philips USB Wireless Network Adapter Service;c:\windows\system32\drivers\CPWUA6D1.sys [2008-7-8 285696]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys []
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys []
S2 ISWKL;ForceField ISWKL;\??\c:\program files\checkpoint\zaforcefield\ISWKL.sys []
S2 IswSvc;ForceField IswSvc;"c:\program files\checkpoint\zaforcefield\IswSvc.exe" []
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
S3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [2006-11-14 133504]
S3 ATHFMWDL;Philips USB Wireless Adapter Bootloader driver;c:\windows\system32\drivers\ATHFMWDL.sys [2007-1-3 43392]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-10-26 254040]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-10-26 352920]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2004-12-13 79472]
S3 Dlaispw;Dlaispw; []
S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-7-8 167808]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [2007-7-19 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\drivers\se46mdfl.sys [2007-7-19 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\drivers\se46mdm.sys [2007-7-19 97088]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2007-7-15 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2007-7-15 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2007-7-15 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2007-7-15 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2007-7-15 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2007-7-15 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2007-7-15 90800]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-10-16 822424]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\c:\windows\system32\wlanndi5.SYS [2004-4-21 16384]

=============== Created Last 30 ================

2008-12-24 16:19 1,582,201 ---sh--- c:\windows\system32\edikeles.ini
2008-12-24 16:10 <DIR> a-dshr-- C:\cmdcons
2008-12-24 14:02 <DIR> --d----- C:\VundoFix Backups
2008-12-24 13:14 161,792 a------- c:\windows\SWREG.exe
2008-12-24 13:14 98,816 a------- c:\windows\sed.exe
2008-12-23 20:47 3,593,216 a------- c:\windows\system32\SET36.tmp
2008-12-08 13:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2008-12-07 20:55 <DIR> --d----- c:\docume~1\khushb~1\applic~1\Uniblue
2008-12-07 20:38 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2008-12-07 17:36 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2008-12-07 17:33 <DIR> --d----- c:\documents and settings\khush bakht\.housecall6.6

==================== Find3M ====================

2008-12-24 13:23 84,789 a--sh--- c:\windows\system32\selekidel.dll
2008-12-23 20:45 65,201 a--sh--- c:\windows\system32\yihegukul.dll
2008-12-23 20:45 84,681 a--sh--- c:\windows\system32\piwinala.dll
2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-25 19:39 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-10-24 11:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 a------- c:\windows\system32\SET15.tmp
2008-10-23 12:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-10 17:50 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-10-10 15:04 299,008 a------- c:\windows\uninst.exe
2008-10-03 10:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-04 22:04 61,088 a------- c:\docume~1\khushb~1\applic~1\GDIPFONTCACHEV1.DAT
2006-11-01 22:28 472 a------- c:\docume~1\khushb~1\applic~1\wklnhst.dat
2006-11-19 02:10 56 -c-shr-- c:\windows\system32\00E9E6215F.sys
2008-08-26 19:07 88 -c-shr-- c:\windows\system32\5F21E6E900.sys
2008-08-26 19:07 5,278 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:58:29.53 ===============



I hope you can help! Let me know what else I need to do, I'll be around for a while tonight.

Thanks in advance! x

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:26 PM

Posted 04 January 2009 - 07:43 PM

Hello StupidMonkey,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:26 PM

Posted 13 January 2009 - 03:27 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users