Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with real AV and trojan vundo.


  • This topic is locked This topic is locked
3 replies to this topic

#1 Joey the Fish

Joey the Fish

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 06 January 2009 - 12:48 PM

Hey all, I have a customer's pc that is infected with possibly several viruses. There is a red circle with a X in it on the taskbar next to the clock, when clicked delivers me to the real.av.org website. I also have a wallpaper that says "Warning, Many viruses were found on your computer, Such as: Trojan horse, Pass capture, etc. Your personal information can fall into the "third hands". I have ran malware bytes, combo fix and smitfraud fix. I was able to remove the wallpaper but when I tried to change it, the wallpaper was greyed out so i was unable to change it. I deleted the registry keys per the microsoft articles and restored the wallpaper functions. The machine is windows xp professional.

Attached File  Attach.zip   3.34KB   5 downloads


DDS (Version 1.1.0) - NTFSx86
Run by motel at 11:11:36.04 on Tue 01/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.653 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\{AAA36FDB-62F0-478D-BAAE-9FA7E664A5C8}\NiteVision2008.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\motel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: {b9e1f262-8010-c78b-45e4-04df79814872}: {27841897-fd40-4e54-b87c-0108262f1e9b} - c:\windows\system32\qcernr.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [NiteVision Update Setup for All Users] c:\documents and settings\all users\application data\{aaa36fdb-62f0-478d-baae-9fa7e664a5c8}\NiteVision2008.exe /updatesetup
mRun: [Framework Windows] frmwrk32.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\temp\ntdll64.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-6 11840]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 207656]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-6 52032]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-27 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-27 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-27 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-27 40488]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-6 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-6 149761]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-26 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-27 358736]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-27 144704]
R4 MSSQL$REMCO;SQL Server (REMCO);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R4 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-6-9 6016]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-27 34152]
S4 bomgar-scc-1225398863;Bomgar Support Customer Client [1225398863];"c:\documents and settings\all users\application data\bomgar-scc-490a1a4d\bomgar-scc.exe" -service:run --> c:\documents and settings\all users\application data\bomgar-scc-490a1a4d\bomgar-scc.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-01-06 10:03 <DIR> --d----- c:\docume~1\motel\applic~1\Malwarebytes
2009-01-06 09:55 1,780 a------- c:\windows\system32\tmp.reg
2009-01-06 09:43 161,792 a------- c:\windows\swreg.exe
2009-01-06 09:43 98,816 a------- c:\windows\sed.exe
2009-01-06 09:35 <DIR> --d----- C:\VundoFix Backups
2009-01-06 09:34 <DIR> --d----- c:\program files\Avira
2009-01-06 09:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-01-06 09:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-06 09:05 27,048 a------- c:\windows\system32\drivers\mbamcatchme.sys
2009-01-06 09:05 15,864 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 09:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 06:12 502 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 03:30 111,616 a------- c:\windows\system32\ntdll64.exe
2009-01-06 02:29 4,785 a------- c:\windows\system32\warning.gif
2009-01-06 02:29 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-06 02:28 1 a------- c:\windows\system32\uniq.tll
2009-01-06 02:28 24,576 a------- c:\windows\system32\frmwrk32.exe
2009-01-06 02:28 24,576 a------- c:\windows\system32\pcload.exe
2009-01-04 20:59 1,307,356 a--sh--- c:\windows\system32\jsjensxu.ini
2009-01-04 20:53 128,000 a------- c:\windows\system32\qcernr.dll
2009-01-04 20:53 128,000 a------- c:\windows\system32\hpuwsucm.dll
2008-12-23 22:27 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2009-01-06 03:00 111,616 a------- c:\windows\system32\userinit.exe
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll

============= FINISH: 11:12:26.78 ===============



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:35 PM, on 1/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\{AAA36FDB-62F0-478D-BAAE-9FA7E664A5C8}\NiteVision2008.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\motel\Desktop\HijackThis.exe

O2 - BHO: {b9e1f262-8010-c78b-45e4-04df79814872} - {27841897-fd40-4e54-b87c-0108262f1e9b} - C:\WINDOWS\system32\qcernr.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NiteVision Update Setup for All Users] C:\Documents and Settings\All Users\Application Data\{AAA36FDB-62F0-478D-BAAE-9FA7E664A5C8}\NiteVision2008.exe /updatesetup
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bomgar Support Customer Client [1225398863] (bomgar-scc-1225398863) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-490A1A4D\bomgar-scc.exe (file missing)
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 4386 bytes

BC AdBot (Login to Remove)

 


#2 Joey the Fish

Joey the Fish
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 06 January 2009 - 12:49 PM

Sorry I forgot to mention that once i removed everything and rebooted they all came back.

#3 Joey the Fish

Joey the Fish
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 06 January 2009 - 04:31 PM

I went ahead and formatted the hdd... This post can be closed.

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:23 AM

Posted 11 January 2009 - 09:04 PM

Thanks for informing us.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users