Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo!grb Generic.dx!rootkit and W32/Virut.n.gen


  • Please log in to reply
1 reply to this topic

#1 David1111

David1111

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 19 February 2009 - 03:52 PM

Hello, I am new, pretty good with computers, but this thing is wayy over my head. I would REALLY appreciate any expert help I can get!!!!

I have been using McAfee and it's been great for over two years, but about two weeks ago i don't know how but i acquired the Vundo!grb infection, first thing this infection did was disable my windows updates, now i tried to re-enable them but there seems to be a macro turning my win updates off automaticly, comming up with error 1358 or something along those lines, now couple days later i got a msg saying i was infected with the Generic.dx!rootkit virus and W32/Virut.n.gen virus, these proceeded to quickly change my desktop background to an advertisement and disable my desktop changing features (i can open up desktop properties but the whole thing is just gray and i cant really click or apply any settings)

second thing this virus did was disable my task bar, it also disabled my cable connection on my laptop, thus i have to use my 2nd laptop to even be able to post here. Third thing it did was disable mcafee from time to time, although mcafee seems to still be able to fix itself, each time i run a scan it finds around 150 problems and cures around 120 things, then after restart its the same story, they seem to come back even after mcafee "fixes" it. I also tried re-enabling my win updates and now get the error 8, that there is a missing file so the service can not run, I am really freaked out by this virus i have never seen anything like this before.

Here are my DSS logs:

DDS (Ver_09-02-01.01) - NTFSx86
Run by David at 12:24:26.90 on Thu 02/19/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1537 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\AOL\1141344126\ee\aolsoftware.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\David\reader_s.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com
uDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: c:\windows\system32\hs78344kjkfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hs78344kjkfd.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: My &Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
uRun: [reader_s] c:\documents and settings\david\reader_s.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [reader_s] c:\documents and settings\david\reader_s.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\kamila\start menu\programs\imvu\Run IMVU.lnk
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: c:\docume~1\kamila\locals~1\temp\ntdll64.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hs78344kjkfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hs78344kjkfd.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcDVoMf
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\0dbzh9zv.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-22 207656]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-21 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-21 33024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-30 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-22 358736]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 116224]
R2 mcshield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\McShield.exe [2008-4-22 144704]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2005-12-21 3456]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-22 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-22 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-22 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-22 34152]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-22 40488]
S1 ethrcnhd;ethrcnhd;c:\windows\system32\drivers\ethrcnhd.sys [2009-2-18 137888]
S3 AutoLogon;Auto Logon Service;c:\documents and settings\david\desktop\hax\autologonsvc.exe [2007-11-27 197840]
S3 CEDRIVER53;CEDRIVER53;c:\documents and settings\david\desktop\hax\cheat engine\dbk32.sys [2007-11-19 25984]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;c:\documents and settings\david\desktop\hax\moonlight_engine_1196.4.0.4\IlvMoney1215.sys [2008-10-6 30080]
S3 mschedsvc;Macro Scheduler Service;c:\documents and settings\david\desktop\hax\msschedsvc.exe [2007-11-27 183504]
S3 Sex1;Sex1;c:\documents and settings\david\desktop\hax\sex engine\Sex.sys [2007-11-1 31104]
S3 SoRa1;SoRa1;c:\documents and settings\david\desktop\hax\sora\sora_engine_2.3__1058_\sora engine 2.3\SoRa23.sys [2007-10-31 31104]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2006-11-11 163840]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-13 45132]

=============== Created Last 30 ================

2009-02-18 15:32 0 a------- c:\windows\system32\17.tmp
2009-02-18 15:32 3,072 a------- c:\windows\system32\15.tmp
2009-02-18 15:31 168 a------- c:\windows\system32\11.tmp
2009-02-18 15:26 47,104 a------- c:\documents and settings\david\reader_s.exe
2009-02-18 15:26 11,293 a------- c:\windows\system32\14.tmp
2009-02-18 15:25 3,072 a------- c:\windows\system32\12.tmp
2009-02-18 15:25 168 a------- c:\windows\system32\10.tmp
2009-02-18 15:22 0 a------- c:\windows\system32\F.tmp
2009-02-18 15:21 168 a------- c:\windows\system32\B.tmp
2009-02-18 14:36 137,888 a------- c:\windows\system32\drivers\ethrcnhd.sys
2009-02-18 14:33 163,748 a------- c:\windows\system32\E.tmp
2009-02-18 14:33 25,601 a------- c:\windows\system32\6.tmp
2009-02-18 14:33 168 a------- c:\windows\system32\5.tmp
2009-02-18 14:32 137,888 a------- c:\windows\system32\drivers\eaglent.sys
2009-02-18 14:29 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-18 14:29 163,748 a------- c:\windows\system32\D.tmp
2009-02-18 14:29 25,601 a------- c:\windows\system32\8.tmp
2009-02-18 14:29 3,072 a------- c:\windows\system32\9.tmp
2009-02-18 14:29 168 a------- c:\windows\system32\7.tmp
2009-02-18 14:16 30,208 a------- c:\windows\system32\reader_s.exe
2009-02-18 14:16 4,093 a------- c:\windows\system32\20.tmp
2009-02-18 14:16 3,072 a------- c:\windows\system32\1D.tmp
2009-02-18 14:16 25,601 a------- c:\windows\system32\1C.tmp
2009-02-18 14:16 168 a------- c:\windows\system32\1B.tmp
2009-02-18 14:16 100,590 a------- c:\windows\system32\drivers\4a4c12ce.sys
2009-02-18 14:16 4,785 a------- c:\windows\system32\warning.gif
2009-02-18 14:16 104,960 ac------ c:\windows\system32\dllcache\userinit.exe
2009-02-18 14:16 439 a------- c:\windows\system32\win32hlp.cnf
2009-02-18 14:16 104,960 a------- c:\windows\system32\ntdll64.exe
2009-02-18 14:15 1,060 a------- c:\windows\system32\test.ttt
2009-02-18 14:15 1 a------- c:\windows\system32\uniq.tll
2009-02-18 14:15 2 a------- C:\-461117240
2009-02-18 14:15 43,535 a------- c:\windows\system32\frmwrk32.exe
2009-02-18 14:15 15,000 a------- c:\windows\system32\hs78344kjkfd.dll
2009-02-18 14:15 39,936 a------- c:\windows\Bxaxevinuyozewah.dll
2009-02-18 14:14 72,704 a------- c:\windows\system32\eknyiwgb.dll
2009-02-16 16:50 974,848 ac------ c:\windows\system32\dllcache\dxdiag.exe
2009-02-15 16:56 143 a------- c:\windows\system32\mcrh.tmp
2009-02-12 12:10 230 a------- c:\windows\RomeTW.ini
2009-02-11 22:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-02-11 17:02 381,436 a------- c:\windows\sysguard.exe
2009-02-11 14:48 41,406 a--sh--- c:\windows\system32\ybKTstwa.ini2
2009-02-11 14:48 41,406 a--sh--- c:\windows\system32\ybKTstwa.ini
2009-02-11 14:48 302,592 a------- c:\windows\system32\awtsTKby.dll
2009-02-11 11:25 129,024 a------- c:\windows\system32\kqsjrwrf.dll
2009-02-11 11:24 72,704 a------- c:\windows\system32\tibxvuei.dll
2009-02-10 14:44 <DIR> --d----- c:\docume~1\david\applic~1\Video Converter for Any Flv Player
2009-02-10 14:44 <DIR> --d----- c:\program files\Any Flv Player
2009-02-10 08:28 1,124,720 a------- c:\windows\system32\D3DCompiler_34.dll
2009-02-10 08:26 <DIR> --d----- c:\windows\Logs
2009-02-10 08:24 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-10 08:24 22,328 a------- c:\docume~1\david\applic~1\PnkBstrK.sys
2009-02-10 08:24 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-02-10 08:24 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-02-10 08:24 2,250,024 a------- c:\windows\system32\pbsvc.exe
2009-02-10 07:12 36,395 a--sh--- c:\windows\system32\fMoVDcfe.ini2
2009-02-10 07:12 3,701 a--sh--- c:\windows\system32\fMoVDcfe.ini
2009-02-10 07:12 302,592 a------- c:\windows\system32\efcDVoMf.dll.vir
2009-02-09 16:29 <DIR> --d----- c:\program files\FOSTER

==================== Find3M ====================

2009-02-19 11:58 57,856 a------- c:\windows\system32\spoolsv.exe
2009-02-19 11:57 110,592 a------- c:\windows\system32\DVDRAMSV.exe
2009-02-18 15:54 1,414,656 a------- c:\windows\system32\mmc.exe
2009-02-18 15:04 13,824 a------- c:\windows\system32\wscntfy.exe
2009-02-18 15:03 32,768 a------- c:\windows\system32\odbcad32.exe
2009-02-18 15:02 310,784 ac------ c:\windows\IsUn040a.exe
2009-02-18 15:02 27,665 a------- c:\windows\hh.exe
2009-02-18 15:02 94,208 ac------ c:\windows\DLA.EXE
2009-02-18 15:02 41,984 ac------ c:\windows\Ctregrun.exe
2009-02-18 15:02 94,208 a------- c:\windows\DIIUnin.exe
2009-02-18 15:02 86,016 a----r-- c:\windows\CtDrvIns.exe
2009-02-18 15:02 700,416 a------- C:\StubInstaller.exe
2009-02-18 15:02 15,360 a------- c:\windows\system32\ctfmon.exe
2009-02-18 15:02 1,033,728 a------- c:\windows\explorer.exe
2009-02-18 15:02 104,960 a------- c:\windows\system32\userinit.exe
2009-02-18 14:29 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-10 11:15 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-02-10 08:30 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-26 14:41 478 a------- c:\docume~1\david\applic~1\wklnhst.dat

============= FINISH: 12:25:28.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:12 AM

Posted 24 February 2009 - 11:51 AM

Hello David1111,

I'm afraid I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware on your system. In that case, it's unfortunately a lost cause - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users