Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 wanja

wanja

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 22 April 2009 - 04:11 PM

On 4.19, popups started showing up. Internet Explorer always has popup blocker on. AVG is always running. After a while the popups started to come up less frequently and at random times. I noticed that the popups are associated with what sites I may already be on. For example, a website had a link to a Batman video; without me even clicking on that link, a popup regarding a batman site came up. Popups regarding fake antispyware is uncommon. One of the popups was from YouTube, what I thought was a secure site. A complete scan with AVG found nothing. Though, it does warn me before some of the popups of a problem. It found a few infected files, which I deleted. One file that seems to be associated with the popups is C:\WINDOWS\system32\bewoyeke. The file type is 'file'. It is modified when a popup appears. I tried to delete it a couple of times, but it keeps reapearing. Cookies to the sites that popup are also created in the cookies folder without me doing anything. The popups are still appearing. The problem is not too bad, but they come up enough that it is a little annoying. I am including an HJT report and DDS reports. Any help would be much appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:41 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18c1ec06-429a-4300-9cc3-2d77a6104261} - C:\WINDOWS\system32\ruhegozi.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [dc124834] rundll32.exe "C:\WINDOWS\system32\wehedeha.dll",b
O4 - HKLM\..\Run: [jojotafone] Rundll32.exe "C:\WINDOWS\system32\letaduwa.dll",s
O4 - HKLM\..\Run: [CPMdf217ba8] Rundll32.exe "C:\WINDOWS\system32\buhazowa.dll",a
O4 - HKCU\..\Run: [DirectPlayerCore] "C:\Program Files\NBC Direct\DirectPlayerCore.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} (AhnASP Control) - http://aspglobal.ahnlab.com/asp/cab/AhnASP.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230331219217
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\vihegawu.dll c:\windows\system32\buhazowa.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\buhazowa.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\buhazowa.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 5774 bytes



DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 13:32:23.54 on Wed 04/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.194 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {18c1ec06-429a-4300-9cc3-2d77a6104261} - c:\windows\system32\ruhegozi.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [DirectPlayerCore] "c:\program files\nbc direct\DirectPlayerCore.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [dc124834] rundll32.exe "c:\windows\system32\wehedeha.dll",b
mRun: [jojotafone] Rundll32.exe "c:\windows\system32\letaduwa.dll",s
mRun: [CPMdf217ba8] Rundll32.exe "c:\windows\system32\buhazowa.dll",a
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} - hxxp://aspglobal.ahnlab.com/asp/cab/AhnASP.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230331219217
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\vihegawu.dll c:\windows\system32\buhazowa.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\buhazowa.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\buhazowa.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\vihegawu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\iy083iy4.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-21 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-21 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-21 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-21 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-21 298264]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\shldrv51.sys --> c:\windows\system32\drivers\ShlDrv51.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-16 33752]
S4 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]

=============== Created Last 30 ================

2009-04-22 12:33 <DIR> --d----- c:\program files\Trend Micro
2009-04-22 08:23 1,408,290 ---sh--- c:\windows\system32\ahedehew.ini
2009-04-21 19:15 <DIR> --d----- C:\VundoFix Backups
2009-04-21 18:10 1,409,832 ---sh--- c:\windows\system32\idajevet.ini
2009-04-21 18:10 1,744 a---h--- c:\windows\system32\bewoyeke
2009-04-21 18:06 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-21 18:03 <DIR> --d----- c:\program files\Panda Security
2009-04-21 17:00 1,409,832 ---sh--- c:\windows\system32\orajitil.ini
2009-04-19 23:22 1,409,558 ---sh--- c:\windows\system32\ewumuvip.ini
2009-04-18 09:16 <DIR> --d----- C:\Python
2009-04-16 08:45 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 08:45 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-16 08:45 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 08:45 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 08:45 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 08:45 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 08:45 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 08:45 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 08:45 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 08:45 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 08:44 56,832 -c------ c:\windows\system32\dllcache\secur32.dll
2009-04-16 08:44 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll
2009-04-16 08:43 91,648 -c------ c:\windows\system32\dllcache\mtxoci.dll
2009-04-16 08:43 161,792 -c------ c:\windows\system32\dllcache\msdtcuiu.dll
2009-04-16 08:43 66,560 -c------ c:\windows\system32\dllcache\mtxclu.dll
2009-04-16 08:43 58,880 -c------ c:\windows\system32\dllcache\msdtclog.dll
2009-04-16 08:43 956,928 -c------ c:\windows\system32\dllcache\msdtctm.dll
2009-04-16 08:43 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 08:43 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 08:43 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-16 08:42 354,304 -c------ c:\windows\system32\dllcache\winhttp.dll
2009-04-10 14:56 <DIR> --d----- c:\docume~1\owner\applic~1\NBC Direct
2009-04-10 14:55 <DIR> --d----- c:\docume~1\owner\applic~1\IDM
2009-04-10 14:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-04-10 14:55 204 a------- C:\Plugins
2009-04-10 14:55 <DIR> --d----- c:\program files\Pando Networks
2009-04-10 14:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NBC Direct
2009-04-10 14:54 <DIR> a-d----- c:\program files\NBC Direct
2009-04-01 16:26 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-04-22 08:23 80,896 a--sh--- c:\windows\system32\wehedeha.dll
2009-04-22 08:23 88,064 a--sh--- c:\windows\system32\buhazowa.dll
2009-04-22 08:23 46,592 a--sh--- c:\windows\system32\faweyetu.exe
2009-04-21 18:10 89,600 a--sh--- c:\windows\system32\wepatogi.dll
2009-04-21 18:10 47,616 a--sh--- c:\windows\system32\nizazapu.exe
2009-04-21 18:10 81,408 a--sh--- c:\windows\system32\tevejadi.dll
2009-04-21 17:00 47,616 a--sh--- c:\windows\system32\hotiwuhe.exe
2009-04-21 17:00 89,600 a--sh--- c:\windows\system32\mowotefe.dll
2009-04-20 23:22 47,104 a--sh--- c:\windows\system32\rurileka.exe
2009-04-20 11:22 47,104 a--sh--- c:\windows\system32\figarile.exe
2009-04-19 23:22 50,176 a--sh--- c:\windows\system32\digezuru.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-13 20:05 2,027,008 a------- c:\windows\system32\python30.dll
2009-02-09 23:14 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-04 09:15 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2009-01-19 23:22 50,176 a--sh--- c:\windows\system32\letaduwa.dll
2009-01-19 23:22 50,176 a--sh--- c:\windows\system32\ruhegozi.dll
2009-01-19 23:22 50,176 a--sh--- c:\windows\system32\vihegawu.dll

============= FINISH: 13:33:33.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 wanja

wanja
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 28 April 2009 - 12:44 AM

I think that I solved the problem. I am not getting popups anymore. The files that were obviously the cause of some problem on my computer were hidden files in the system32 folder. They were all created 2009.01 and had names consisting of four syllables. There were also files created 2009.04 but the naming pattern was backwards. I also found keys and values in the registry that were associated with some of these files. I could not delete some of these values in normal mode; I could not in safe mode either. I was able to get rid of these values and the files that were attached to running processes in normal mode using a .iso file that my friend put together. The registry values that created the files could still not be deleted, but we did change their information so that they would not fix themselves once in normal mode. The problem seems to be gone now. Let me know if I might have forgotten something, letting the virus come back. And for some reason I have 6 svchost.exe processes running, but I think that that is another problem.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:43 PM

Posted 04 May 2009 - 04:28 PM

Hello wanja,


Since its been a few days since you last posting,
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Select Files and Folders created in last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
    info.txt can also be found at c:\RSIT\info.txt

Edited by SifuMike, 04 May 2009 - 06:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:43 PM

Posted 22 May 2009 - 05:33 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users