Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Possible virus infection (Trojan.Vundo)


  • Please log in to reply
3 replies to this topic

#1 Guest_schviden_*

Guest_schviden_*

  • Guests
  • OFFLINE
  •  

Posted 12 April 2009 - 11:12 PM

Hello,
My name is Adam and I think I may have been infected with the Vundo virus. During a check of hidden computer files, I found "ezsidmv.dat" in the SYSTEM32 folder. I have subsequently deleted it, and did a Google search for what this file is.

I have since downloaded and run HijackThis and Malwarebyte Anti-Malware. I have attached the associated logs.

Could someone please check the logs to confirm that this infection is now gone from my computer?

Here is the DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Adam at 13:09:08.42 on Mon 13/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1279.729 [GMT 10:00]

AV: avast! antivirus 4.8.1335 [VPS 090412-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Adam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = localhost:80
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar BHO: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: &Winamp Toolbar Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
Trusted Zone: myvodafone.com.au\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adam\applic~1\mozilla\firefox\profiles\1fmikgkd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.co.uk/search?&q=
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\adam\application data\mozilla\firefox\profiles\1fmikgkd.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-5 114768]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-3-9 33920]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-5 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-1-18 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-1-18 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-1-18 352920]
S2 gupdate1c9b90d380ed300;Google Update Service (gupdate1c9b90d380ed300);c:\program files\google\update\GoogleUpdate.exe [2009-4-9 133104]
S3 FA31x;Netgear FA311/312 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\FA31xND5.SYS [2005-10-8 16025]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2009-3-28 3768]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2008-6-1 13225]
S3 REGMON;REGMON;\??\c:\windows\system32\drivers\regsys.sys --> c:\windows\system32\drivers\REGSYS.SYS [?]
S3 U400bus;LGE U400 driver (WDM);c:\windows\system32\drivers\U400bus.sys [2008-11-13 61440]
S3 U400mdfl;LGE U400 USB WMC Modem Filter;c:\windows\system32\drivers\U400mdfl.sys [2008-11-13 9264]
S3 U400mdm;LGE U400 USB WMC Modem Driver;c:\windows\system32\drivers\U400mdm.sys [2008-11-13 96960]
S3 U400mgmt;LGE U400 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\U400mgmt.sys [2008-11-13 88528]
S3 U400obex;LGE U400 USB WMC OBEX Interface;c:\windows\system32\drivers\U400obex.sys [2008-11-13 86336]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-4-15 394952]

=============== Created Last 30 ================

2009-04-13 11:37 <DIR> --d----- c:\docume~1\adam\applic~1\Malwarebytes
2009-04-13 11:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 11:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 11:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-13 11:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 11:13 <DIR> --d----- c:\program files\Trend Micro
2009-04-10 09:53 <DIR> --d----- C:\Serae VCD
2009-04-09 22:17 <DIR> --d----- c:\program files\common files\DivX Shared
2009-03-28 08:40 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-03-28 08:40 <DIR> --d----- c:\windows\Replay Music
2009-03-28 08:40 <DIR> --d----- c:\program files\Replay Music 3
2009-03-28 08:33 508,544 a------- c:\windows\system32\drivers\SndTDriverV32.sys
2009-03-28 08:33 3,768 a------- c:\windows\system32\drivers\MovRVDrv32.sys
2009-03-27 21:30 <DIR> --d----- c:\windows\Globalization
2009-03-27 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NokiaMusic
2009-03-27 21:26 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-03-19 20:35 188,129 a------- C:\90111 - Application Support Officer.pdf

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 05:35 129,784 -------- c:\windows\system32\pxafs.dll
2009-02-25 05:35 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-02-25 05:35 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-02-25 05:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-25 05:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-25 05:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-25 05:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-25 05:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-25 05:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-09 20:19 1,846,272 -------- c:\windows\system32\win32k.sys
2005-03-27 22:33 18,320 a------- c:\docume~1\adam\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 13:10:08.21 ===============




Thanks in advance for all your help.
Adam

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost

Posted 26 April 2009 - 01:16 PM

hi,

sorry for delay, no shortage of posters. I dont recognize any malware in the log. If MBAM and your AV are coming up clean and you are not having any signs of malware, then its a good bet you are malware free. keep MBAM and its good practice to keep it updated even if you dont scan that much with it. Always check for updates before doing a scan. the paid version offers auto update and a real time protection component.

How Can I Reduce My Risk to Malware?


#3 Guest_schviden_*

Guest_schviden_*

  • Guests
  • OFFLINE
  •  

Posted 28 April 2009 - 03:55 AM

Thanks for your reply Shelf Life. I am very happy to hear that I am not infected. Hooray :thumbup2:

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:56 PM

Posted 28 April 2009 - 07:54 PM

your welcome. some tips to help reduce your risk to malware:

Reducing Your Risk To Malware:
The Short Version:

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based application like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users