Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help finishing clearing trojans


  • This topic is locked This topic is locked
7 replies to this topic

#1 fujidave

fujidave

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 01 April 2009 - 12:25 AM

I am in the process of cleaning off various malware from my sister-in-laws computer. She was having problems redirectors. She could not get to a web sight without IE loading up a different website. I ran SuperAntiSpyware, AdAware, Spybot S&D, and Malwarebytes' AntiMalware. All were ran under safemode. Spybot was also ran during startup. I was able to remove most items that came across. Some of the malwares that were removed or attempted to remove include, Trojan.Agent, Trojan.BHO, Trojan.Downloader, Trojan.Vundo, Trojan.Vundo.H, Worm.Autorun among others. When ever I run Malwarebytes' it will find something even after I removed it. I need a second pair of eyes or more over, a primary pair of expert eyes to see what else I need to do. Below is a copy of the DDS.txt file.

Thanks,
David


DDS (Ver_09-03-16.01) - NTFSx86
Run by Sandy Fisher at 0:58:06.95 on Wed 04/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.72 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sandy Fisher\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://search.alot.com/sidebar?pr=asst&client_id=1E8A534001C8C46200129F26&install_time=01-06-2008:20:39&src_id=11082&camp_id=-6&tb_version=1.2.5.255&&url=http%3A%2F%2Fhome%2Ealot%2Ecom%3Fclient%5Fid%3D1E8A534001C8C46200129F26%26install%5Ftime%3D01%2D06%2D2008%3A20%3A39%26src%5Fid%3D11082%26camp%5Fid%3D%2D6%26tb%5Fversion%3D1%2E2%2E5%2E255
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [reader_s] c:\documents and settings\sandy fisher\reader_s.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\paige fisher\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: wqvfwc.dll rgvxyr.dll c:\windows\system32\fapawozi.dll,c:\windows\system32\dutudari.dll c:\windows\system32\mizuyoha.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\dutudari.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-31 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-4-2 47640]
R3 botdrv;botdrv;\??\c:\windows\system32\driver.sys --> c:\windows\system32\driver.sys [?]
S1 808e4e3e;808e4e3e;c:\windows\system32\drivers\808e4e3e.sys --> c:\windows\system32\drivers\808e4e3e.sys [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-04-01 00:45 <DIR> --d----- c:\program files\Trend Micro
2009-03-31 22:59 4,447 a------- c:\windows\wininit.ini
2009-03-31 22:30 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-31 21:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-31 21:47 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-31 21:47 <DIR> --d----- c:\program files\Lavasoft
2009-03-31 20:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-31 20:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-31 09:27 446 a------- c:\windows\system32\win32hlp.cnf
2009-03-31 01:28 <DIR> --d----- c:\windows\pss
2009-03-31 01:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-31 01:04 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-31 01:04 <DIR> --d----- c:\docume~1\sandyf~1\applic~1\SUPERAntiSpyware.com
2009-03-31 01:00 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-30 22:45 <DIR> --d----- c:\docume~1\sandyf~1\applic~1\Malwarebytes
2009-03-30 21:52 2 a------- c:\windows\msoffice.ini
2009-03-27 18:08 62,976 a------- C:\tqaau.exe
2009-03-27 18:07 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-03-27 18:05 2 a------- C:\-328425222
2009-03-27 18:05 62,976 a------- C:\uldwlib.exe
2009-03-24 16:58 124,928 a--sh--- c:\windows\system32\eiauqi.dll
2009-03-17 22:31 124,928 a--sh--- c:\windows\system32\jpbnhm.dll
2009-03-16 01:13 124,928 a--sh--- c:\windows\system32\rxmine.dll
2009-03-14 23:30 124,928 a--sh--- c:\windows\system32\onrulw.dll
2009-03-14 08:18 <DIR> --d----- c:\program files\Common
2009-03-13 20:13 124,928 a--sh--- c:\windows\system32\eaaeyf.dll
2009-03-03 20:37 129,024 a--sh--- c:\windows\system32\wanqui.dll
2009-03-02 18:19 129,024 a--sh--- c:\windows\system32\rglzlw.dll

==================== Find3M ====================

2009-03-27 18:08 104,960 a------- c:\windows\system32\userinit.exe
2009-03-27 18:07 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-27 06:04 61,440 a--sh--- c:\windows\system32\vugivodi.exe
2009-03-26 18:05 61,440 a--sh--- c:\windows\system32\majudohi.exe
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 04:58 84,992 a--sh--- c:\windows\system32\kadopuwe.dll
2009-03-24 16:58 124,928 a--sh--- c:\windows\system32\jinuyeju.dll
2009-03-17 22:31 124,928 a--sh--- c:\windows\system32\papororo.dll
2009-03-16 01:13 124,928 a--sh--- c:\windows\system32\rokewezi.dll
2009-03-16 01:13 79,872 a--sh--- c:\windows\system32\lugofetu.dll
2009-03-14 23:30 124,928 a--sh--- c:\windows\system32\yosutihe.dll
2009-03-14 23:30 84,992 a--sh--- c:\windows\system32\gitadodi.dll
2009-03-14 08:14 84,992 a--sh--- c:\windows\system32\viyiyini.dll
2009-03-13 20:13 124,928 a--sh--- c:\windows\system32\tebihoti.dll
2009-03-13 20:13 84,992 a--sh--- c:\windows\system32\yidehuyu.dll
2009-03-11 13:01 84,992 a--sh--- c:\windows\system32\nepivoyi.dll
2009-03-03 20:37 129,024 a--sh--- c:\windows\system32\wayebomi.dll
2009-03-03 20:37 84,992 a--sh--- c:\windows\system32\paweharo.dll
2009-02-28 23:22 129,024 a--sh--- c:\windows\system32\zpetbf.dll
2009-02-28 23:22 84,992 a--sh--- c:\windows\system32\mizifaru.dll
2009-02-27 01:22 77,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-17 20:07 129,024 a------- c:\windows\system32\gjsymres.dll
2009-02-17 20:07 129,024 a------- c:\windows\system32\dltbko.dll
2009-02-16 22:58 213,029 a------- c:\windows\system32\vpimqlic.exe
0000-00-00 00:00 79,872 a--sh--- c:\windows\system32\kizoraju.dll
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\migisibi.dll

============= FINISH: 0:58:15.32 ===============

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 PM

Posted 01 April 2009 - 06:38 PM

Hello fujidave,

I am sorry to give you some very bad news. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows
:

http://web.mit.edu/ist/products/winxp/adva...all-format.html
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fujidave

fujidave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 02 April 2009 - 01:06 AM

Thanks for the info. I will backup important non executables and then reformat and reload.

If you don't mind me asking, where in my posted log can you tell that it is the Virut virus?

Thanks
Fujidave

#4 fujidave

fujidave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 02 April 2009 - 01:12 AM

Another question about this virus. I have a home network and had the infected laptop hooked up through the network. I did notice that the router kept failing while I had the infected laptop on. I'm hoping that this is a defense response by the router and the other computer hooked to the home network are safe.
What is you opinion?

Thanks again,

fujidave

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 PM

Posted 02 April 2009 - 09:46 AM

This one is being spread via illegal sites (cracksites/keygens etc) and P2P Software (limewire, shareaza).
The P2P software makes sense, because many people are infected with this virus. So, since this virus infects legitimate files, the files being shared via P2P software such as limewire are also infected. So I'm pretty sure that more than 50% of the files being shared through P2P nowadays is infected with Virut unfortunately,



I have a home network and had the infected laptop hooked up through the network. I did notice that the router kept failing while I had the infected laptop on. I'm hoping that this is a defense response by the router and the other computer hooked to the home network are safe.
What is you opinion?


You should be OK.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 fujidave

fujidave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 04 April 2009 - 10:52 PM

Thanks for your help.
Luckily my sister-in-law still had her recovery cd. I saved all of her non executable important files. Ok actually I just saved the pictures she had on the computer to an external HDD. I did scan the pictures for viruses. Never can be too safe. On the recovery cd, it had two options, 1) erase hard drive, 2) recover hdd. And with option 1 it had the option to rewrite over the hdd. So I know that it was over kill but who knows in these days how these polymorphic viruses react. I spent 6 hours reformatting and rewriting over the HDD then I recovered it to 'out of the box' contition. I set her up with AVG free for an anti-virus and turned on the windows firewall. So hopefully this won't happen again. But like I told her, some of the strongest fortresses in histroy were defeated by a guard being paid off. i.e. "It just take one wrong click to open up the door."

Again thanks for your help and you can close out this thread.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 PM

Posted 05 April 2009 - 12:00 AM

You're most welcome. :) And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 PM

Posted 11 April 2009 - 04:20 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users