Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Vundo, Sheur2, google search results hijack

  • This topic is locked This topic is locked
3 replies to this topic

#1 DannyScL


  • Members
  • 5 posts
  • Local time:03:35 PM

Posted 02 March 2009 - 11:11 AM

I picked up some nasty malware yesterday that seems to be doing all sorts of unpleasant things. I first became aware of it when AVG Resident Shield told me that I had picked up an infection (unfortunately, I didn't make a note of which one). I ran AVG and SpyBot separately - tons of infections came up. The two that I seem to remember are Vundo and Sheur2. I also installed MBAM to try to clean everything up, but to no avail.

The biggest problem I'm having is with logging onto Windows. I've restarted my computer probably ten times, and almost every time after logging into windows I get a blank desktop - the desktop image loads, but no icons and no toolbar on the bottom. I've gotten a couple different Data Execution Prevention Warnings: for Userinit.exe and explorer.exe mostly. There doesn't seem to be anything easily predictable about which one comes up. I'm able to start Windows Task Manager and run programs from there.

I've run a full MBAM scan a few times (re-starting after each scan), but it keeps finding infections.

On my most recent restart, the desktop loaded normally. So I don't know if MBAM finally found the problem and cleared it out or what.

Another problem that's just come up is the hijacking of google search results to clickfraudmanager that other people seem to have been noting as well. Not sure if that's related to the other stuff that's going on, but it started just around the same time.

Here's my DDS log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Danny at 10:52:09.06 on Mon 03/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.451 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe C:\WINDOWS\TEMP\VRT8.tmp
C:\Documents and Settings\Danny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [<NO NAME>]
mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\xccstart.lnk - c:\windows\system\xccef090131.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} - hxxps://pacsweb.bidmc.harvard.edu/ami/install/amiviewer.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: KATRACK.DLL c:\windows\system32\gifepujo.dll mhzegm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\gifepujo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danny\applic~1\mozilla\firefox\profiles\zv4oxk7i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\danny\application data\mozilla\firefox\profiles\zv4oxk7i.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-13 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-13 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-13 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-13 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-13 298264]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 65536]
S2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 31232]
S3 pcistub;pcistub;\??\c:\windows\system32\pcistub.sys --> c:\windows\system32\pcistub.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-03-02 10:51 61,440 a------- c:\windows\system32\drivers\kexub.sys
2009-03-02 10:43 578,560 a------- c:\windows\system32\wqsyxofw
2009-03-02 10:40 61,440 a------- c:\windows\system32\drivers\cqphhw.sys
2009-03-02 10:08 262,144 -------- c:\windows\system32\nvtpm32.dll
2009-03-02 09:44 578,560 a------- c:\windows\system32\zrgdcu
2009-03-02 09:44 105,984 a------- c:\windows\system32\13.tmp
2009-03-02 09:43 40 a------- c:\windows\system32\12.tmp
2009-03-02 09:42 105,984 a------- c:\windows\system32\10.tmp
2009-03-01 23:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-01 23:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-01 23:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-01 18:44 <DIR> --d----- c:\docume~1\danny\applic~1\Malwarebytes
2009-03-01 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-01 18:33 71 a------- c:\windows\system32\work.ini
2009-03-01 18:31 228 a------- c:\windows\system32\hgset.ini
2009-03-01 18:31 0 a------- c:\windows\mqcd.dbt
2009-03-01 18:31 676,352 a------- c:\windows\system32\rtl60.bpl
2009-03-01 18:31 406,528 a------- c:\windows\system32\tmpxccacj0.exe
2009-03-01 18:31 204 a------- c:\windows\system32\xcchit32.ini
2009-03-01 18:30 32,768 a------- c:\windows\system32\odjan.wa
2009-03-01 18:30 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-03-01 18:30 32,768 a------- c:\windows\system32\kei1w.an
2009-03-01 18:30 28,672 a------- c:\windows\system32\doqkm.zt
2009-03-01 18:30 77,312 a------- c:\windows\system32\rkoq.pxf
2009-03-01 18:30 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-03-01 18:30 604 a------- c:\windows\xccwinsys.ini
2009-03-01 18:30 <DIR> --d----- c:\windows\system32\inf
2009-03-01 18:30 0 a------- c:\windows\system32\12E.tmp
2009-03-01 18:30 40 a------- c:\windows\system32\12A.tmp
2009-02-15 15:18 471,102 a------- c:\windows\system32\dllcache\imskdic.dll

==================== Find3M ====================

2009-03-02 10:40 636 a------- c:\program files\sqfqcd.txt
2009-03-02 10:08 578,560 a------- c:\windows\system32\user32.DLL
2009-02-12 15:03 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-12 15:03 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-12 15:03 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 87,552 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 31,232 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-03-19 16:25 88 ---shr-- c:\windows\system32\4A31832E60.sys
2006-07-30 22:35 56 ---shr-- c:\windows\system32\602E83314A.sys
2008-03-19 16:25 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-26 12:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 10:52:57.12 ===============

Attached Files

BC AdBot (Login to Remove)


#2 DannyScL

  • Topic Starter

  • Members
  • 5 posts
  • Local time:03:35 PM

Posted 04 March 2009 - 05:19 AM

UPDATE (3/4/2009)
The problem of the desktop seemed to resolve through repeated scans with AVG and MBAM. The past few days my system has been functional, if a bit buggy (search results still being hijacked, spotty network connections, etc). I've continued to do daily scans with AVG and MBAM in the hope that they will continue to clear things up, but they keep finding infections.

This morning there was a much more serious problem. I woke up to a frozen screen saver, so I tried to re-start the computer. Up came the blue screen with the following message:

STOP: C0000135 {Unable To Locate Component}
This application has failed to start because USER32.dll was not found. Re-installing the application may fix this problem.

Trying to start in safe mode brings up the same screen.

Thanks for your help.

#3 DannyScL

  • Topic Starter

  • Members
  • 5 posts
  • Local time:03:35 PM

Posted 10 March 2009 - 04:31 PM

I decided to give up on this - I had my data backed up, so I just re-formatted my hard drive and re-installed Windows. So you can consider this topic closed.

#4 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:35 PM

Posted 11 March 2009 - 02:22 PM

Thanks for letting us know.

Since this issue appears to be resolved, this topic is now closed.

Everyone else, please begin a new topic.

With Regards,
The Panda

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users