Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection / Sagipsul.com Virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 binnybop

binnybop

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 12 January 2009 - 12:15 AM

Whenever I scan with McAfee it says I have a Vundo trojan and a generic downloader x trojan as well. Also, when I'm on my browser ads come up and sometimes the sagipsul.com window comes up as well. My computer has gotten alittle slower. Also, my automatic updates has been disabled. I cannot go onto Internet Explorer to try to download the updates manually because whenever I do go on internet explorer many I mean many tabs open up leading to this strange website. I believe it was called tidal something. I do not know how to get rid of it. I tried McAfee Stinger and now I am running a Malwarebytes Anti-Malware scan.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Chang at 23:58:12.51 on Sun 01/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.105 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Chang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: {17f019f0-2830-4e4f-96c7-d185da80ac43} - c:\windows\system32\iifebYPg.dll
BHO: {4b0e9401-405a-9a2b-baa4-779a4f27e6a6}: {6a6e72f4-a977-4aab-b2a9-a5041049e0b4} - c:\windows\system32\kimkpk.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LClock] c:\program files\lclock\LClock.exe
uRun: [ViStart] c:\program files\vistart\ViStart.exe
uRun: [ViOrb] c:\program files\viorb\ViOrb.exe
uRun: [Vista Sidebar] c:\program files\vista sidebar\sidebar.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Hvuvozuneseyo] rundll32.exe "c:\windows\edorowijehulalih.dll",e
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Hfabanerula] rundll32.exe "c:\windows\Osaxiwuhuq.dll",e
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\chang\startm~1\programs\startup\virtua~1.lnk - c:\windows\system32\virtualexpander\VirtualExpander.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp psc 900 series\bin\hpobrt07.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: fccyvSJD - fccyvSJD.dll
AppInit_DLLs: gtksqg.dll wotbln.dll vqjpod.dll kimkpk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\iifebYPg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chang\applic~1\mozilla\firefox\profiles\mqeip7hj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\chang\application data\mozilla\firefox\profiles\mqeip7hj.default\extensions\solidstateion@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\npmusicn.dll
FF - plugin: c:\program files\opera\program\plugins\NPSibelius.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {2DF9E6F9-E777-432C-A8BF-811C03AC0D81} - c:\documents and settings\chang\local settings\application data\{2DF9E6F9-E777-432C-A8BF-811C03AC0D81}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 207656]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-11 38496]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40488]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79240]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 34152]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-01-11 23:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-11 20:06 <DIR> --d----- c:\docume~1\chang\applic~1\Malwarebytes
2009-01-11 20:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-11 20:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 20:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-11 20:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 19:01 123,392 a------- c:\windows\system32\kimkpk.dll
2009-01-11 19:01 123,392 a------- c:\windows\system32\pfrvyfqt.dll
2009-01-11 18:58 1,256,329 ---sh--- c:\windows\system32\aviyenoy.ini
2009-01-11 18:58 80,896 a------- c:\windows\system32\yoneyiva.dll
2009-01-11 18:29 <DIR> --d----- c:\windows\system32\URTTEMP
2009-01-10 19:00 139,264 a------- c:\windows\system32\tmvtsuxy.dll
2009-01-10 18:57 1,342,086 ---sh--- c:\windows\system32\nntvgbmq.ini
2009-01-09 19:00 139,264 a------- c:\windows\system32\rnmyyeen.dll
2009-01-09 18:57 1,334,189 ---sh--- c:\windows\system32\lgghuchw.ini
2009-01-08 19:01 1,326,815 ---sh--- c:\windows\system32\hrvxahkp.ini
2009-01-08 19:01 139,264 a------- c:\windows\system32\joppvc.dll
2009-01-08 19:00 139,264 a------- c:\windows\system32\ahcpigie.dll
2009-01-07 19:01 128,000 a------- c:\windows\system32\agsrdjtu.dll
2009-01-07 18:55 1,326,815 ---sh--- c:\windows\system32\qlcvujkj.ini
2009-01-06 18:55 1,322,965 ---sh--- c:\windows\system32\pnwfihdu.ini
2009-01-05 18:52 1,322,965 ---sh--- c:\windows\system32\vcutjsvt.ini
2009-01-04 22:19 134,656 a------- c:\windows\oreqawico.dll
2009-01-04 15:36 1,307,392 ---sh--- c:\windows\system32\nqesjvgk.ini
2009-01-03 21:56 133,120 a------- c:\windows\edorowijehulalih.dll
2009-01-03 15:42 1,307,356 a--sh--- c:\windows\system32\uhfglnqb.ini
2009-01-02 15:42 1,307,356 a--sh--- c:\windows\system32\ytfxnavh.ini
2009-01-01 15:39 1,307,356 a--sh--- c:\windows\system32\wpvovtad.ini
2008-12-31 15:31 1,307,356 a--sh--- c:\windows\system32\wpufkruq.ini
2008-12-31 15:23 290,304 a------- c:\windows\system32\tuvwtqnn.dll
2008-12-31 13:45 1,307,356 a--sh--- c:\windows\system32\cchtcnet.ini
2008-12-31 13:38 650,495 a--sh--- c:\windows\system32\gPYbefii.ini2
2008-12-31 13:38 650,495 a--sh--- c:\windows\system32\gPYbefii.ini
2008-12-31 13:38 290,304 a------- c:\windows\system32\iifebYPg.dll
2008-12-31 13:19 2,461 a------- c:\windows\system32\senekadf.dat
2008-12-31 13:19 59 a------- c:\windows\system32\seneka.dat
2008-12-31 13:14 3,437 a------- c:\windows\system32\senekalog.dat
2008-12-30 22:19 208,384 a------- c:\windows\system32\uc_rohan_launching.dll
2008-12-30 22:19 87,472 a------- c:\windows\system32\ijjiChannelingPlugin.dll
2008-12-30 19:57 <DIR> --d----- C:\Rohan_USA
2008-12-29 16:22 <DIR> --d----- c:\program files\AIMTunes
2008-12-28 22:24 <DIR> --d----- c:\windows\pss
2008-12-28 22:22 157,152 a------- c:\windows\system32\PubPlugin.dll
2008-12-28 22:22 58,800 a------- c:\windows\system32\ijjiPlugin2.dll
2008-12-28 22:22 710,064 a------- c:\windows\system32\ijjiSetup.exe
2008-12-28 22:22 <DIR> --d----- c:\program files\NHN USA
2008-12-24 23:50 31 a------- c:\windows\GunzLauncher.INI
2008-12-24 23:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IJJIGame

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2006-05-25 12:24 241,664 a------- c:\program files\tier0_s.dll
2006-05-25 12:24 229,376 a------- c:\program files\vstdlib_s.dll
2006-05-25 12:24 208,896 a------- c:\program files\tier0.dll
2006-05-25 12:24 118,784 a------- c:\program files\vstdlib.dll
2006-05-25 12:24 839,680 ac------ c:\program files\steamclient.dll
2006-05-25 12:24 61,440 a------- c:\program files\steam_api.dll
2008-09-15 21:53 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080916\index.dat

============= FINISH: 0:01:40.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:58 AM

Posted 12 January 2009 - 06:03 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 binnybop

binnybop
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 12 January 2009 - 03:45 PM

Malware Bytes actually cleared everything. Thank you though!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:58 AM

Posted 13 January 2009 - 04:35 AM

Hi,

You're sure that you don't want further assistance to delete leftovers if still present?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:58 AM

Posted 21 January 2009 - 09:23 AM

It looks like it's not really important to delete the leftovers and maybe other malware still present. Keep in mind that the malware you were dealing with comes as a bundled installer and installs a lot of other malware as well. Some are running hidden in the background, so you won't notice a thing - but in a meanwhile it collects all your passwords etc..

Anyway, since you don't want an extra review, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users