Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection, getting popups. I know what the files are, but I can't remove them


  • This topic is locked This topic is locked
2 replies to this topic

#1 The Evil Bunny

The Evil Bunny

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 23 April 2009 - 07:11 PM

Edit:
I identified the virus through MaleWareBytes:
Trojan.Vundo.H


Here is the DDS log.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 18:04:35.04 on Thu 04/23/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_06
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.464 [GMT -6:00]

AV: *On-access scanning disabled* (Updated)
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\fixing blender\dds.com

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {497d8f2f-e7ef-43a3-ac64-7a77c075bcca} - c:\windows\system32\nobiwuna.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [CPM67b5022d] Rundll32.exe "c:\windows\system32\jomibeyo.dll",a
mRun: [Dbeqosex] rundll32.exe "c:\windows\ifesocacezafiteq.dll",e
mRun: [648631b1] rundll32.exe "c:\windows\system32\mikafelo.dll",b
mRun: [hozufahewi] Rundll32.exe "c:\windows\system32\waziroto.dll",s
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll c:\windows\system32\yovuseju.dll c:\windows\system32\jomibeyo.dll,c:\windows\system32\tepagove.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jomibeyo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\jomibeyo.dll
LSA: Notification Packages = scecli kblpte.dll c:\windows\system32\tepagove.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\51d5r9r9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.slashdot.org
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: XUL Cache: {31049461-89DF-414F-816E-6B0EF99F883E} - c:\documents and settings\owner\local settings\application data\{31049461-89DF-414F-816E-6B0EF99F883E}

============= SERVICES / DRIVERS ===============

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2007-3-1 14336]
S3 efipsk;efipsk;\??\c:\docume~1\owner\locals~1\temp\efipsk.sys --> c:\docume~1\owner\locals~1\temp\efipsk.sys [?]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\docume~1\owner\locals~1\temp\rar$ex60.371\money1276.sys --> c:\docume~1\owner\locals~1\temp\rar$ex60.371\Money1276.sys [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2008-5-19 96256]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-12 27904]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SoRa_DRIVER53;SoRa_DRIVER53;\??\c:\docume~1\owner\locals~1\temp\rar$ex00.708\sora 4.6\sora_.sys --> c:\docume~1\owner\locals~1\temp\rar$ex00.708\sora 4.6\SoRa_.sys [?]
S4 gupdate1c9ba185991f30;Google Update Service (gupdate1c9ba185991f30);c:\program files\google\update\GoogleUpdate.exe [2009-4-10 133104]

=============== Created Last 30 ================

2009-04-23 08:08 1,407,212 ---sh--- c:\windows\system32\olefakim.ini
2009-04-22 23:22 103 ---shr-- C:\autorun.inf
2009-04-22 20:19 0 a------- c:\windows\Osoqobekeyoj.bin
2009-04-22 20:19 300 a------- c:\windows\Hpetaleb.dat
2009-04-16 21:06 <DIR> --d----- c:\program files\Subagames
2009-04-13 12:21 <DIR> --d----- c:\docume~1\owner\applic~1\Copy of gtk-2.0
2009-04-13 12:21 <DIR> --d----- c:\docume~1\owner\applic~1\Copy of Apple Computer
2009-04-13 12:21 <DIR> --d----- c:\docume~1\owner\applic~1\Copy (2) of AOL
2009-04-13 12:20 <DIR> --d----- c:\docume~1\owner\applic~1\Copy of AOL
2009-04-11 16:23 <DIR> --d----- c:\windows\pss
2009-04-10 14:07 <DIR> --d----- c:\program files\common files\DivX Shared
2009-04-10 09:39 <DIR> --d----- C:\Nexon
2009-04-10 09:32 293 a------- C:\Shortcut to Local Disk .lnk
2009-04-09 01:39 <DIR> --d----- c:\program files\Pando Networks
2009-03-26 23:59 78,784 a------- c:\windows\system32\ISUSPM.cpl
2009-03-26 23:53 <DIR> --d----- C:\Netgame
2009-03-25 15:52 <DIR> --d----- c:\program files\Glest_3.2.1

==================== Find3M ====================

2009-04-23 08:08 51,200 a--sh--- c:\windows\system32\lugilodo.dll
2009-04-23 08:07 88,576 a--sh--- c:\windows\system32\jomibeyo.dll
2009-04-23 08:07 81,408 a--sh--- c:\windows\system32\mikafelo.dll
2009-04-23 08:07 47,616 a--sh--- c:\windows\system32\yazemiya.exe
2009-04-22 20:07 47,616 a--sh--- c:\windows\system32\pidaniwa.exe
2009-04-22 20:07 46,592 a--sh--- c:\windows\system32\yamiyuse.exe
2009-03-24 21:55 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-03-19 20:51 137,992 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-19 20:51 201,816 a------- c:\windows\system32\PnkBstrB.exe
2009-03-17 21:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-03-16 15:33 3,597,312 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-03-16 14:27 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-03-16 14:26 328,704 a------- c:\windows\system32\ati2dvag.dll
2009-03-16 14:17 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-03-16 14:17 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-03-16 14:16 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-03-16 14:16 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-03-16 14:16 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-03-16 14:16 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-03-16 14:15 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-03-16 14:13 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-03-16 14:06 3,820,736 a------- c:\windows\system32\ati3duag.dll
2009-03-16 14:04 11,563,008 a------- c:\windows\system32\atioglxx.dll
2009-03-16 13:53 2,675,328 a------- c:\windows\system32\ativvaxx.dll
2009-03-16 13:40 49,664 a------- c:\windows\system32\atimpc32.dll
2009-03-16 13:40 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-03-16 13:36 475,136 a------- c:\windows\system32\atikvmag.dll
2009-03-16 13:35 303,104 a------- c:\windows\system32\atiok3x2.dll
2009-03-16 13:35 131,072 a------- c:\windows\system32\atiadlxx.dll
2009-03-16 13:35 45,056 a------- c:\windows\system32\aticalrt.dll
2009-03-16 13:34 45,056 a------- c:\windows\system32\aticalcl.dll
2009-03-16 13:34 17,408 a------- c:\windows\system32\atitvo32.dll
2009-03-16 13:34 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-03-16 13:33 3,264,512 a------- c:\windows\system32\aticaldd.dll
2009-03-16 13:28 630,784 a------- c:\windows\system32\ati2cqag.dll
2009-03-03 13:56 118,784 a------- c:\windows\system32\atibtmon.exe
2009-02-23 15:39 184,394 a------- c:\windows\system32\atiicdxx.dat
2009-02-18 11:55 294,912 a------- c:\windows\system32\ATIODE.exe
2009-02-17 23:58 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-02-17 23:58 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-02-09 14:38 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2009-02-03 14:52 45,056 a------- c:\windows\system32\ATIODCLI.exe
2009-01-23 23:07 22,328 a------- c:\docume~1\owner\applic~1\PnkBstrK.sys
2009-01-23 23:06 2,246,144 a------- c:\windows\system32\pbsvc.exe
2008-02-29 01:21 194 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2004-12-01 18:34 716 a---h--- c:\docume~1\alluse~1\applic~1\pb7msys.dat

============= FINISH: 18:05:12.26 ===============



The three files:

mRun: [Dbeqosex] rundll32.exe "c:\windows\ifesocacezafiteq.dll",e
mRun: [648631b1] rundll32.exe "c:\windows\system32\mikafelo.dll",b
mRun: [hozufahewi] Rundll32.exe "c:\windows\system32\waziroto.dll",s


Replace themselves whenever they are removed.
I tried MaleWareBytes, and HijackThis.

I don't do much on the internet at all. I pretty much read Google News and Slashdot in Firefox, but apparently I am being punished for having windows.

This is incredibly annoying, I had to log out of my steam account, and change the password through my Linux laptop, which is now ironically dead.

I am afraid to use steam, enter credit card numbers, or anything, as this is a virus, and stealing these are part of their jobs.

Can anyone help?
I have the attach.txt file ready if it is needed.

Edited by The Evil Bunny, 23 April 2009 - 07:13 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 AM

Posted 24 April 2009 - 10:55 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 AM

Posted 09 May 2009 - 01:17 PM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users