Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

attacked by Virtumundo & a spyware named BUBEFIYA .DLL& nEVOREFA.DLL


  • This topic is locked This topic is locked
1 reply to this topic

#1 tejas_t

tejas_t

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 17 January 2009 - 04:35 AM

Hi Friends,
Today while browsing some site, suddenly i got a pop up message by spyware terminater which unknowingly i clicked as allow & then suddenly there were numerous pop ups but which i blocked as i found the names to be unknown, latter on it was (spyware terminator) was continuously showing as blocked c\windows/system32/bubefiya along with some other names in the bloked list such as NEVOREFA.dll all infections which are blocked are via the path C;\windows\system32\ THE INFECTION NAME & also the CPU usages shown is nearly 60% & above. I tried with the avast antivirus 7.5 version that i use, but was unable to detect & remove the infection.
Can you expert guys pls help me resolve this problem asap

Thanks in advance

Tejas

attached below is the log of DDS file



DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 14:45:43.84 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.189 [GMT 5.5:30]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\StopHid.exe
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {08fc338b-a456-4705-83af-ee9c2e68af9e} - c:\windows\system32\potibubi.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
uRun: [SifyBB] c:\program files\sify broadband\BBImpSec.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpywareTerminator] "c:\progra~1\spywar~1\SpywareTerminatorShield.exe"
mRun: [CHotkey] mHotkey.exe
mRun: [CNYHKey] CNYHKey.exe
mRun: [StopHid] StopHid.exe
mRun: [CreativeMouse ] c:\program files\creative\desktop wireless\mouse_2k.exe
mRun: [Uninstall0001] "c:\program files\common files\totem shared\uninstall0001\upd.exe"

LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer
mRun: [jiwalizatu] Rundll32.exe "c:\windows\system32\wepanibe.dll",s
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [CPM53526076] Rundll32.exe "c:\windows\system32\nevorefa.dll",a
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {54D94671-C0B5-40D2-970E-E1795ADC0B65} = 202.144.115.4,202.144.66.6
TCP: {D15589FE-A2CD-40AC-9E23-4625AD90B6FA} = 202.144.115.4,202.144.66.6
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft

shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: xxyvVppo - xxyvVppo.dll
AppInit_DLLs: c:\windows\system32\bubefiya.dll c:\windows\system32\nevorefa.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nevorefa.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\nevorefa.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnlkkll
LSA: Notification Packages = scecli c:\windows\system32\bubefiya.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\jmdacmsg.default\
FF - prefs.js: browser.startup.homepage -

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-18 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-18 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-18 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-18 10760]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-3-27

141312]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-18 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-18 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-18 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-18 4960]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe

[2009-1-16 603904]

=============== Created Last 30 ================

2009-01-17 13:11 133,959 a--sh--- c:\windows\system32\cqmijj.dll
2009-01-17 08:15 1,414,440 a-------

c:\windows\system32\ShellManager310E2D762.dll
2009-01-17 08:15 774,144 a------- c:\windows\system32\NEROINSTAEC43759.DB
2009-01-16 11:33 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-01-16 11:33 27,904 a------- c:\windows\system32\uxtuneup.dll
2009-01-16 11:33 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-01-16 11:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\TuneUp Software
2009-01-16 11:32 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-01-16 11:32 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\TuneUp Software
2009-01-16 11:32 <DIR> --dsh---

c:\docume~1\alluse~1.win\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-14 11:41 <DIR> --d----- c:\windows\pss
2009-01-08 16:18 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-08 16:10 <DIR> --d----- c:\documents and

settings\administrator\.housecall6.6
2009-01-07 17:26 1,325,094 a--sh--- c:\windows\system32\upugvdfo.ini
2009-01-07 17:23 194,795 a--sh--- c:\windows\system32\llkklnnn.ini2
2009-01-07 17:23 194,795 a--sh--- c:\windows\system32\llkklnnn.ini
2009-01-07 17:16 45,568 a------- c:\windows\system32\ssqPjihf.dll
2009-01-06 06:27 <DIR> --d----- c:\program files\common files\Wise Installation

Wizard
2009-01-05 07:46 <DIR> --d----- c:\program files\Advanced IP Scanner
2009-01-01 11:48 41,984 -------- c:\windows\Ctregrun.exe
2009-01-01 11:47 <DIR> --d----- c:\program files\Creative
2009-01-01 11:46 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-01 11:46 1,409 a------- c:\windows\QTFont.for
2008-12-23 22:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-20 13:54 458,112 a------- c:\windows\system32\drivers\MarvinUsb.sys
2008-12-20 13:54 <DIR> --d----- C:\Effects
2008-12-20 12:40 84,992 a------- c:\windows\system32\ATL70.DLL
2008-12-20 12:40 171,008 a------- c:\windows\system32\drivers\MarvinBus.sys
2008-12-20 12:38 38,232 a------- c:\windows\wmprfsky.prx
2008-12-20 12:35 <DIR> --d----- c:\program files\Pinnacle
2008-12-20 12:35 14,165 -------- c:\windows\system32\drivers\Pclepci.sys
2008-12-19 14:51 <DIR> --d----- c:\documents and settings\administrator\Phone

Browser
2008-12-19 14:46 <DIR> --d----- c:\program files\common files\Nokia
2008-12-19 14:45 <DIR> --d----- c:\program files\common files\PCSuite
2008-12-19 14:45 13,312 a------- c:\windows\system32\drivers\nmwcdcm.sys
2008-12-19 14:44 8,704 a------- c:\windows\system32\drivers\nmwcdc.sys
2008-12-19 14:44 30,720 a------- c:\windows\system32\nmwcdcocls.dll
2008-12-19 14:44 4,608 a------- c:\windows\system32\nmwcdlog.dll
2008-12-19 14:44 127,488 a------- c:\windows\system32\drivers\nmwcd.sys
2008-12-19 14:43 50,688 a------- c:\windows\system32\nmwcdcls.dll
2008-12-19 14:43 <DIR> --d----- c:\program files\Nokia
2008-12-19 14:42 <DIR> --dsh--- c:\windows\ftpcache
2008-12-19 14:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2009-01-17 13:11 133,959 a--sh--- c:\windows\system32\suhamose.dll
2009-01-17 13:11 101,110 a--sh--- c:\windows\system32\nevorefa.dll
2009-01-17 13:11 85,251 a--sh--- c:\windows\system32\hovolile.dll
2008-12-11 17:27 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-10-23 18:31 283,648 a------- c:\windows\system32\gdi32.dll
2008-07-15 16:08 28,904 ac------ c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
1601-01-01 05:42 63,748 a--sh--- c:\windows\system32\potibubi.dll
1601-01-01 05:42 63,748 a--sh--- c:\windows\system32\wepanibe.dll

============= FINISH: 14:46:17.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 NonSuch

NonSuch

  • Malware Response Team
  • 5 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 18 January 2009 - 04:19 PM

You are currently receiving help here:

http://www.malwarebytes.org/forums/index.p...amp;#entry48712

You have also posted your log here:

http://malwareremoval.com/forum/viewtopic....=11&t=38940

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users