Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.H Reappears


  • This topic is locked This topic is locked
2 replies to this topic

#1 Michael Brother

Michael Brother

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 17 April 2009 - 01:19 PM

I've been dealing with a variety of maware/virus issues for the last four days.

Symantec Anti-virus and Malwarebytes have been unable to fully remove the problem and files slated for deletion on re-boot reappear and reinfect the system even after running in safemode.

Here's the DDS.txt file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by mrb at 13:51:20.28 on Fri 04/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.344 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\SKWLUSB.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Coveo Desktop Search\CopernicDesktopSearch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\mrb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://insidebandl
uDefault_Page_URL = hxxp://insidebandl
mDefault_Page_URL = hxxp://insidebandl
uInternet Connection Wizard,ShellNext = hxxp://insidebandl/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {108b71c9-8178-46cf-9bfd-f4048d6f2f8d} - c:\windows\system32\llciuju.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: Coveo Desktop Search: {c5f7a735-70f1-477f-8c36-6ff3c736017b} - c:\program files\coveo desktop search\CopernicDesktopSearchIntegration980.dll
EB: Coveo Desktop Search: {92a40b0a-740a-4a11-9ddb-70460c6da383} - c:\program files\coveo desktop search\CopernicDesktopSearchIntegration980.dll
EB: Coveo Desktop Search: {c5f7a735-70f1-477f-8c36-6ff3c736017b} - c:\program files\coveo desktop search\CopernicDesktopSearchIntegration980.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [Coveo Desktop Search] "c:\program files\coveo desktop search\CopernicDesktopSearch.exe" /tray
uRun: [Cognac] c:\docume~1\mrb\locals~1\temp\9347.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] -
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: disablecad = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: vlsp.dll
Trusted Zone: microsoft.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://download.boulder.ibm.com/ibmdl/pub/pc/pccbbs/bp_pc/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229820016651
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229820005308
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: chvmtclt - llciuju.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 sgwzxcwj;sgwzxcwj;c:\windows\system32\drivers\sgwzxcwj.sys [1980-1-1 23424]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-11-16 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-11-16 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-11-16 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-11-16 2432]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-11-16 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-11-16 4442]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2005-12-21 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2005-12-21 9216]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-11-16 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336]
S2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\aawservice.exe [?]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\naveng.sys [2009-4-17 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\navex15.sys [2009-4-17 876144]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [2008-4-22 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [2008-4-22 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [2008-4-22 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [2008-4-22 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys --> c:\windows\system32\drivers\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys --> c:\windows\system32\drivers\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys --> c:\windows\system32\drivers\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys --> c:\windows\system32\drivers\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys --> c:\windows\system32\drivers\pwi_serd.sys [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-11-16 12288]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]
S4 SAVRT;SAVRT;- --> - [?]

=============== Created Last 30 ================

2009-04-16 10:50 <DIR> --d----- c:\windows\pss
2009-04-15 15:04 <DIR> --d----- c:\docume~1\mrb\applic~1\Malwarebytes
2009-04-15 15:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-15 15:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 15:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-15 15:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-15 06:58 <DIR> --d----- c:\docume~1\mrb\applic~1\ucadfgnn
2009-04-14 11:55 <DIR> --d----- c:\windows\system32\scripting
2009-04-14 11:55 <DIR> --d----- c:\windows\l2schemas
2009-04-14 11:55 <DIR> --d----- c:\windows\system32\en
2009-04-14 11:55 <DIR> --d----- c:\windows\system32\bits
2009-04-14 11:50 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-14 11:47 <DIR> --d----- c:\windows\network diagnostic
2009-04-14 11:33 69,120 -------- c:\windows\system32\wlanapi.dll
2009-04-14 11:33 25,471 -------- c:\windows\system32\drivers\watv10nt.sys
2009-04-14 11:33 22,271 -------- c:\windows\system32\drivers\watv06nt.sys
2009-04-14 11:33 14,208 -------- c:\windows\system32\drivers\wacompen.sys
2009-04-14 11:33 11,935 -------- c:\windows\system32\drivers\wadv11nt.sys
2009-04-14 11:33 11,871 -------- c:\windows\system32\drivers\wadv09nt.sys
2009-04-14 11:33 11,807 -------- c:\windows\system32\drivers\wadv07nt.sys
2009-04-14 11:33 11,295 -------- c:\windows\system32\drivers\wadv08nt.sys
2009-04-14 11:33 11,325 -------- c:\windows\system32\drivers\vchnt5.dll
2009-04-14 11:33 121,984 -------- c:\windows\system32\drivers\usbvideo.sys
2009-04-14 11:33 50,688 -------- c:\windows\system32\tspkg.dll
2009-04-14 11:33 44,672 -------- c:\windows\system32\drivers\uagp35.sys
2009-04-14 11:31 397,312 -------- c:\windows\system32\mmcex.dll
2009-04-14 11:30 46,464 -------- c:\windows\system32\drivers\gagp30kx.sys
2009-04-14 00:05 0 a------- c:\windows\system32\nfr.gpref
2009-04-13 22:54 0 a------- c:\windows\system32\nfr.assembly
2009-04-13 22:08 26,112 a------- c:\windows\system32\userinit.exe
2009-03-23 11:16 <DIR> --d----- C:\DANC_SIR

==================== Find3M ====================

2009-04-14 11:59 86,695 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 13:52:43.69 ===============



Any assistance would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:43 PM

Posted 18 April 2009 - 05:01 PM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:43 PM

Posted 16 May 2009 - 05:13 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users