Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection causing various problems


  • This topic is locked This topic is locked
2 replies to this topic

#1 Jimbola

Jimbola

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 31 January 2009 - 01:41 PM

Dear all,

I managed to get a virus of some description on my computer last night, and am having trouble fully removing it.

It has turned my Google quite strange - results now always open in a new window, often going to a completely unrelated advertising website. Some websites appear to be blocked entirely (notably the homepage for Spybot - http://www.safer-networking.org/ - immediately comes up with a 'Page Load Error').

My version of Spybot initially wouldn't start, and on advice found somewhere I got it working by changing the name of the Spybot .exe. However, it prevents me from connecting to the update server (this is the case with ad-aware as well). I updated Spybot manually, and have done a scan which found nothing. I can now no longer access my C:\ drive via the shortcut on 'My Computer'. I can however access it by clicking the up arrow button in other C folders.

I did an antivirus scan - Avira Antivir Personal - and it found 2 viruses: TR/Patched.CK.6 Trojan and the TR/Vundo.Gen Trojan. It claims to have deleted them, but it has now found them twice on two separate scans (after a reboot), so I guess they keep popping up. I tried Panda activescan online, which found nothing. I gather the Vundo is a tricky customer, and found a Symantec removal tool for it - but it found nothing. I deleted my hosts file in System32\ in case that was causing it.

I'm running out of ideas, and don't really want to have to format the computer. Here are the results from my DDS scan:

DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 18:20:11.75 on 31/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.105 [GMT 0:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.0 [VPS 000000-0] *On-access scanning enabled* (Outdated)
FW: Outpost Firewall Pro *enabled*
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Switch Off\swoff.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = hxxp://wwwcache.bris.ac.uk:8080
uInternet Settings,ProxyOverride = <local>;*.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [Switch Off] c:\program files\switch off\swoff.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\Last.fm Helper.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Utility Tray.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120663179156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\nhqkg7lz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\nhqkg7lz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin9.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPnsv_vp3_mp3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin9.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-31 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-31 28544]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-9-17 11840]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-9-17 101776]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-9-17 31504]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-9-17 52032]
S3 MapMem;MapMem;\??\d:\mapmem.sys --> d:\mapmem.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [2003-10-2 666624]

=============== Created Last 30 ================

2009-01-31 17:25 <DIR> --d----- c:\program files\Trend Micro
2009-01-31 15:08 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-31 14:58 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-31 14:57 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 14:57 <DIR> --d----- c:\program files\Lavasoft
2009-01-31 14:22 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-31 14:19 <DIR> --d----- c:\documents and settings\owner\.housecall6.6
2009-01-31 04:51 407 ---shr-- C:\autorun.inf

==================== Find3M ====================

2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-03 23:26 147,192 a------- c:\windows\system32\guard32.dll
2008-12-03 23:26 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2008-11-07 01:19 52,736 a------- c:\windows\ipuninst.exe
2008-10-21 23:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 18:22:43.25 ===============

I would greatly appreciate any help you guys can provide on this matter.

Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:52 AM

Posted 11 February 2009 - 06:48 PM

Hello Jimbola,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:52 AM

Posted 20 February 2009 - 12:44 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users