Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major malware issue (vundo amoung others?)


  • This topic is locked This topic is locked
2 replies to this topic

#1 VegasViolator

VegasViolator

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 28 February 2009 - 08:19 PM

A friend gave me her computer to try and fix, upon receiving it, it took an hour to boot up, I fixed that problem..the Firewall had been turned off sine ATT installed her high speed connection and no updates were run since July 2008, I enabled the Firewall, ran all the update to date. There is a ton of trogens/malware on this computer like Vundo keeps popping up, I can’t get rid of all of them, Vundo keeps poppping up. I have ran the Onecare live, Malwarebytes' Anti-Malware, VundoFix, VirtumundoBeGone, sdFix, Trend Micro…list goes on. Everything I run says it cleans them, the Vundo fixes say none are found. Then when I run again they are back??? I can’t seem to get rid of all these this nasty things, so I am asking for help and have posted my HiJackThis Log. Last time I offer to look at a friend’s computer, not worth it if he wasn’t smart enough to turn the firewall and update on……Thanks in advance for your help!!!

DDS (Ver_09-02-01.01) - NTFSx86
Run by main at 20:11:00.35 on 02/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.189 [GMT -5:00]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: {9449}: {229a5184-585f-4020-bfab-a642942227c1} - c:\windows\system32\cknwiumo.dll
BHO: {4F43126C-0B98-46A5-9845-B396D0600EFA} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: {FDA82ED8-D59F-BCCE-07BF-331C35601E5B} - No File
TB: {B70378C2-862C-46C9-D3AD-E23C722F9E5C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {804DB5C7-31E6-4885-850A-F1941B58A4C7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [CaAvTray] "c:\program files\yahoo!\antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\yahoo!\antivirus\CAVRID.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
LSP: c:\windows\system32\rlls.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/11f8a8a00c9b107c3302/netzip/RdxIE601.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235603824421
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235603672843
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.6416550926
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - hxxp://download.spyspotter.com/spyspotter/SpSp29952.40opt/SpySpotterCabInstall.cab
TCP: {DFB3D713-251A-48B0-B35C-14BBE96234B8} = 68.94.156.1,68.94.157.1
Notify: ddcDwwXR - ddcDwwXR.dll
SEH: {4F43126C-0B98-46A5-9845-B396D0600EFA} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKEuTN

============= SERVICES / DRIVERS ===============

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2005-6-16 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2005-6-16 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2005-6-16 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2005-6-16 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2006-8-3 26787]
R2 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2005-6-16 259184]
R2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\VetMsg.exe [2005-6-16 201840]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2005-6-16 108360]
S1 fihdztlj;fihdztlj;\??\c:\windows\system32\drivers\fihdztlj.sys --> c:\windows\system32\drivers\fihdztlj.sys [?]

=============== Created Last 30 ================

2009-02-28 18:24 <DIR> --d----- c:\docume~1\main\applic~1\Malwarebytes
2009-02-28 18:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-28 18:23 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 18:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-28 18:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 18:03 <DIR> --d----- c:\program files\Windows Live Safety CenterRebootActions
2009-02-28 15:18 <DIR> --d----- c:\documents and settings\main\.housecall6.6
2009-02-28 13:37 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-28 13:35 <DIR> --d----- c:\windows\ERUNT
2009-02-28 13:35 1,688 a------- c:\windows\system32\AUTOEXEC.NT
2009-02-28 13:32 <DIR> --d----- C:\SDFix
2009-02-28 12:11 <DIR> --d----- c:\windows\system32\scripting
2009-02-28 12:11 <DIR> --d----- c:\windows\l2schemas
2009-02-28 12:11 <DIR> --d----- c:\windows\system32\en
2009-02-27 17:12 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-27 17:12 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-02-27 17:12 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-02-27 17:12 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-02-27 17:12 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-27 17:12 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-02-27 17:12 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-02-27 17:12 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-02-27 17:12 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-02-26 21:13 276,992 -------- c:\windows\system32\wmphoto.dll
2009-02-26 21:13 69,120 -------- c:\windows\system32\wlanapi.dll
2009-02-26 21:13 712,704 -------- c:\windows\system32\windowscodecs.dll
2009-02-26 21:13 346,112 -------- c:\windows\system32\windowscodecsext.dll
2009-02-26 21:13 25,471 -------- c:\windows\system32\drivers\watv10nt.sys
2009-02-26 21:13 22,271 -------- c:\windows\system32\drivers\watv06nt.sys
2009-02-26 21:11 180,360 -------- c:\windows\system32\drivers\ntmtlfax.sys
2009-02-26 21:10 61,440 -------- c:\windows\system32\kmsvc.dll
2009-02-26 21:09 15,423 -------- c:\windows\system32\drivers\ch7xxnt5.dll
2009-02-26 20:14 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-26 20:14 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-26 20:14 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-26 20:14 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-26 20:14 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-26 20:14 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-26 20:13 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-02-26 20:13 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-26 20:13 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-02-26 19:14 <DIR> --d----- C:\VundoFix Backups
2009-02-25 20:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-02-25 19:54 <DIR> --d----- C:\2653b9ce218e02cbc8f17e13a633a8
2009-02-25 19:54 <DIR> --d----- c:\windows\network diagnostic
2009-02-25 19:47 <DIR> --d----- C:\e7df07d55c286bdfb57362cb1c0964c5
2009-02-25 18:20 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-25 17:01 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-02-25 17:01 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-02-25 16:57 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-02-28 12:16 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-26 17:02 879,832 a------- c:\windows\system32\drivers\VetEFile.sys
2009-02-26 17:02 108,360 a------- c:\windows\system32\drivers\VetEBoot.sys
2009-02-26 16:52 78,458 a---h--- c:\docume~1\main\applic~1\ptads.bin
2009-02-25 16:55 31,073 a--sh--- c:\windows\system32\NTuEKRqr.ini2
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2007-01-25 19:44 80,136 a------- c:\docume~1\main\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:11:55.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 VegasViolator

VegasViolator
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 01 March 2009 - 12:34 PM

OK, I fixed it. The Malwarebytes' Anti-Malware instructions never said to run it in Safe Mode, I ran in Safe mode and it is running smoothly now with no problmes.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:16 AM

Posted 01 March 2009 - 06:15 PM

Thanks for informing us.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users