Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo? Red Circle, White cross.


  • This topic is locked This topic is locked
2 replies to this topic

#1 TeZ23

TeZ23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 20 January 2009 - 07:34 AM

Hey,

I have a very annoying virus on my housemates' computer. I have attempted to enter safe mode, I ran adaware, spybot S&D, Malwarebytes' Anti-malware, SUPERAntiSpyware - all of which picked up virii, all of which were deleted, all of which re-spawned next time I entered normal mode in my computer.

I have deleted all *.tmp files from my computer. I have turned system restore off, then on, then off again. Then I re-tried the above. And it still hasn't worked. I have deleted some previously incompletely deleted virii, inc registry entries.

But yea - I'm at a loss. I am currently on my computer, using a USB to deliver data to this website (having no access to websites on the other comp).

Here is the DDS log, anyway. Hope you can be of assistance!


DDS (Ver_09-01-18.01) - NTFSx86 MINIMAL
Run by Gitanjali at 12:27:01.17 on 20/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.799 [GMT 0:00]

AV: AVG 7.5.519 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
E:\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Gitanjali\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Microsoft Online Helper!: {21dc8e21-98cf-454f-8860-66a32358e3d3} - %SystemRoot%\system32\msonlineaz.dll
BHO: Rmn plugin: {e8fd36b2-a25b-47e3-9477-82557f5f5995} - savec32.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\msntb.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [rs32net] c:\windows\system32\rs32net.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Framework Windows] frmwrk32.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [awsku] "c:\windows\system32\awsku.exe" awsku
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &MSN Search - c:\program files\msn toolbar suite\msntb.dll/search.htm
IE: Open in new background tab - c:\program files\msn toolbar suite\en-gb\msntabres.dll.mui/229?95313124e5994561b0b22a57295b4ca
IE: Open in new foreground tab - c:\program files\msn toolbar suite\en-gb\msntabres.dll.mui/230?95313124e5994561b0b22a57295b4ca
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\temp\ntdll64.dll
LSP: adtsh.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: bastxg - bastxg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gitanj~1\applic~1\mozilla\firefox\profiles\qk17jzoj.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-7-28 10760]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2006-9-14 7040]
S0 ati0dkxx;ati0dkxx;c:\windows\system32\drivers\ati0dkxx.sys [2008-11-5 32768]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-7-28 821856]
S1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-7-28 4224]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-7-28 27776]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]
S3 MBAMCatchMe;MBAMCatchMe;c:\program files\malwarebytes' anti-malware\catchme.sys [2008-4-12 27048]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 tcpsr;tcpsr;\??\c:\windows\system32\drivers\tcpsr.sys --> c:\windows\system32\drivers\tcpsr.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-7-28 418816]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-7-28 49664]
S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-7-28 406528]
S4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-7-28 4960]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-14 1174152]

=============== Created Last 30 ================

2009-01-19 23:00 <DIR> --d----- C:\VundoFix Backups
2009-01-19 22:51 <DIR> --d----- c:\program files\The Cleaner Demo
2009-01-18 20:54 294 a------- c:\windows\system32\awsku_navps.dat
2009-01-16 21:56 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-16 21:56 125,440 ac------ c:\windows\system32\dllcache\userinit.exe
2009-01-16 21:55 1 a------- c:\windows\system32\uniq.tll
2009-01-16 21:55 1 a------- c:\windows\system32\test.ttt
2009-01-16 21:55 31,232 a------- c:\windows\system32\frmwrk32.exe
2009-01-10 14:22 35,840 a------- c:\windows\system32\sys.dat

==================== Find3M ====================

2009-01-20 12:14 6,053 a------- c:\windows\system32\awsku.dat
2009-01-17 21:30 14,336 a------- c:\windows\system32\svchost.exe
2009-01-16 21:56 125,440 a------- c:\windows\system32\userinit.exe
2008-12-11 11:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-08 00:02 32,768 a------- c:\windows\system32\drivers\ati0dkxx.sys
2008-12-07 21:31 10,752 a------- c:\windows\system32\adtsh.dll
2008-12-07 21:28 49,152 a------- c:\windows\system32\savec32.dll
2008-11-06 00:13 14,257 a------- c:\windows\system32\gidaneweje.scr
2008-11-05 23:56 19,487 a------- c:\docume~1\alluse~1\applic~1\ditufybyl.reg
2008-11-05 23:56 17,758 a------- c:\windows\pogahes.dat
2008-11-05 23:56 16,982 a------- c:\windows\xusoboxan.bat
2008-11-05 23:56 15,698 a------- c:\program files\common files\enut.dat
2008-11-05 23:56 15,590 a------- c:\windows\system32\tesape.com
2008-11-05 23:56 15,457 a------- c:\program files\common files\orawoqor.bin
2008-11-05 23:56 14,525 a------- c:\docume~1\alluse~1\applic~1\iqyco.com
2008-11-05 23:56 13,778 a------- c:\program files\common files\syhit.dl
2008-11-05 23:56 13,250 a------- c:\docume~1\alluse~1\applic~1\ohuvehago.sys
2008-11-05 23:56 12,888 a------- c:\docume~1\alluse~1\applic~1\fifu.bin
2008-11-05 23:56 12,229 a------- c:\program files\common files\xunefomyca.bat
2008-11-05 23:51 125,883 a------- c:\windows\system32\wini10491.exe
2008-11-05 23:49 24,576 a------- c:\windows\system32\rs32net.exe
2008-10-23 13:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-05-05 15:46 606 a------- c:\docume~1\gitanj~1\applic~1\wklnhst.dat
2007-11-21 03:58 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-06-12 18:14 25,600 a------- c:\documents and settings\gitanjali\usbsermptxp.sys
2007-06-12 18:14 22,768 a------- c:\documents and settings\gitanjali\usbsermpt.sys
2007-02-21 18:03 1,112 a------- c:\docume~1\gitanj~1\applic~1\ViewerApp.dat
2007-02-04 22:37 92,064 a------- c:\documents and settings\gitanjali\mqdmmdm.sys
2007-02-04 22:37 79,328 a------- c:\documents and settings\gitanjali\mqdmserd.sys
2007-02-04 22:37 66,656 a------- c:\documents and settings\gitanjali\mqdmbus.sys
2007-02-04 22:37 9,232 a------- c:\documents and settings\gitanjali\mqdmmdfl.sys
2007-02-04 22:37 6,208 a------- c:\documents and settings\gitanjali\mqdmcmnt.sys
2007-02-04 22:37 5,936 a------- c:\documents and settings\gitanjali\mqdmwhnt.sys
2007-02-04 22:37 4,048 a------- c:\documents and settings\gitanjali\mqdmcr.sys
2006-11-23 23:18 0 a------- c:\program files\common files\err.log

============= FINISH: 12:27:24.09 ===============


Thanks,

Tel

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 AM

Posted 30 January 2009 - 02:17 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 AM

Posted 07 February 2009 - 10:41 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users