Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/Vundo infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 stolichnaya2

stolichnaya2

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 28 January 2009 - 12:53 AM

I got infected just last night. My desktop disappeared, even if i put explorer.exe on task manager it disappears after a few seconds. Task managers works fine. everything else works fine aside from the disappearing desktop. i have turned my system restore off.

I tried ad-aware, it detected it twice but failed to remove it. I also ran sdfix on safe mode, but upon reboot i still don't have my desktop back.
Please help. Thank you so much.


Here is my dds.txt:


DDS (Ver_09-01-19.01) - NTFSx86
Run by christopher S Ubaldo at 13:40:34.20 on Wed 01/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1438 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\christopher S Ubaldo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Picasa3\Picasa3.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\christopher S Ubaldo\My Documents\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.starhub.net.sg
mSearch Page =
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {78369e21-227f-47fe-b82a-f69c63bb7b09} - c:\windows\system32\opnnlLfg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\christopher s ubaldo\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [EPSON Stylus C45 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Startup.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/stg_drm.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211706116593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
TCP: {CFECFBD7-5B00-4B63-89FB-D2D208B5477B} = 192.168.62.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnnlLfg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\6nvkdeyd.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - prefs.js: network.proxy.ftp - 202.78.71.210
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 202.78.71.210
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 202.78.71.210
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 202.78.71.210
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 202.78.71.210
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\christopher s ubaldo\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-27 11840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-10 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-10 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-10 107272]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-27 52032]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys [2008-3-6 57512]
R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\drivers\BtKrnBdg.sys [2008-3-6 15876]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys [2008-3-6 19840]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-27 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-27 151297]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-10 903960]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-10 298264]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\drivers\csrbc01.sys [2008-3-6 24523]

=============== Created Last 30 ================

2009-01-28 12:37 <DIR> --d----- c:\windows\ERUNT
2009-01-28 12:03 <DIR> --d----- C:\SDFix
2009-01-28 00:42 <DIR> --d----- C:\VundoFix Backups
2009-01-27 22:45 <DIR> --d----- c:\program files\Avira
2009-01-27 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-01-27 18:37 21,314 a--sh--- c:\windows\system32\gfLlnnpo.ini
2009-01-27 18:37 21,136 a--sh--- c:\windows\system32\gfLlnnpo.ini2
2009-01-27 18:36 247,808 a------- c:\windows\system32\opnnlLfg.dll
2009-01-22 17:01 <DIR> --d----- c:\program files\Mystery Case Files Prime Suspects
2009-01-20 23:01 4,194,377 a------- c:\windows\pfirewall.log.old
2009-01-20 09:18 <DIR> --d----- c:\docume~1\christ~1\applic~1\SpinTop
2009-01-17 20:36 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-10 12:41 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-10 10:19 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-10 10:19 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-10 10:19 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-10 10:19 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-10 09:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-06 06:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-01 18:17 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-01 18:17 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-31 11:39 <DIR> --d----- c:\windows\Logs

==================== Find3M ====================

2008-12-27 10:00 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 19:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-03-18 20:26 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-08-30 02:57 50,009,400 a------- c:\program files\iTunesSetup.exe
2007-08-24 02:32 471,216 a------- c:\program files\yahoomessenger.exe
2007-06-08 15:07 1,207,026 a------- c:\program files\wrar370.exe
2007-06-04 15:06 2,565,184 a------- c:\program files\chikkasetupv4.exe
2007-04-04 17:26 20,933,888 a------- c:\program files\SkypeSetup.exe
2007-04-04 13:25 104 a------- c:\program files\linksys.txt
2007-02-12 19:10 2,682,880 -------- c:\documents and settings\all users\VCREDI~3.EXE
2004-06-18 10:05 45,056 a------- c:\windows\inf\Slntinst.exe
2003-08-22 10:09 45,056 a------- c:\windows\inf\slntinst_staticW2k.exe

============= FINISH: 13:41:10.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 stolichnaya2

stolichnaya2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 29 January 2009 - 01:21 AM

update: i ran ad-aware, avira, avg, and symantec's virtumonde remover. all three did not detect anything. no virus, trojan, worm. i guess this means the virus has been deleted from my pc? but still my desktop won't show. i can force it through task manager but it goes away after a few seconds.

don't know what to do next. please help.

#3 stolichnaya2

stolichnaya2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 29 January 2009 - 02:41 AM

everything's fine now, ComboFix fixed it!!!!!


THANK YOU COMBOFIX.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 05 February 2009 - 11:19 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HJT Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users