Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Dropper/Clicker/Vundo/Heur and other nasties have infected me...


  • This topic is locked This topic is locked
3 replies to this topic

#1 frustratedgamergirl

frustratedgamergirl

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:12 PM

Posted 01 May 2009 - 02:21 AM

Hello- I am reading through the 'Preparation Guide' and following each step closely for maximum efficiency.

Problems started a few nights ago when I was roaming the internet; I wasn't using my Windows Firewall--but have now enabled it as suggested. I use Kaspersky anti-virus (7.0.1.325) - it told me I'd become infected with various Trojans [Trojan.Clicker.Win32.Delf.cbe, Heur.Invader, etc] --- it listed the affected file as C:\WINDOWS\system32\jvwfeead.dll but was unable to delete the file. I tried to do it manually and it gave me access denied messages. My computer slowed and programs didn't want to open. Everything began to freeze up and I had to manually turn off my computer several times before I could get Malwarebytes Anti-Malware to run... It removed a few files but it can't seem to do anything with 4 files [it calls them Vundo]. I've also run combofix, and it found other files it removed, but it also cannot touch some of them. One of the programs mentioned this file is infected: c:\windows\system32\mwvzxdl.dll (although I cannot remember which one) -- however none of my programs will let me delete it, nor does it allow me to manually delete it.

My system is now running fairly smoothly, but I know I am still infected. Visiting sites like 'deviantart' causes my system to go into a frenzy, and the virus seems to redownload itself at random. I haven't had any popups---just extreme slowness, programs freezing or refusing to load, etc. And the squealing pig noise of Kaspersky's infection-alert is something made of nightmares :)

Here is the DDS.txt log the guide requested I post:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Lisa at 23:30:46.03 on Thu 04/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2437 [GMT -7:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lisa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: : {c221a841-5471-42a0-ad92-cef9ae2e0328} - c:\windows\system32\mwvzxdl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Universal Installer] "c:\program files\comcastui\universal installer\uinstaller.exe" /fromrun /starthidden
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178208716578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: wmobbypc - mwvzxdl.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-10-31 112144]
R0 oduqdwkc;oduqdwkc;c:\windows\system32\drivers\oduqdwkc.sys [2006-2-28 23424]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-28 195344]
R2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2008-2-8 227856]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2008-3-14 26525]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-3-23 120168]

=============== Created Last 30 ================

2009-04-30 17:00 <DIR> a-dshr-- C:\cmdcons
2009-04-30 16:59 161,792 a------- c:\windows\SWREG.exe
2009-04-30 16:59 98,816 a------- c:\windows\sed.exe
2009-04-25 10:19 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-24 13:11 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-24 13:10 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-24 13:10 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-24 13:10 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-24 13:10 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-24 13:10 <DIR> --d----- C:\59dbcfe9f1471c9d8705
2009-04-24 13:10 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-24 13:10 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-24 13:10 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-15 22:57 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:57 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:57 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:57 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:57 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:57 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:57 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:57 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:57 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 22:56 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 22:56 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 22:56 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-04-30 23:29 2,583,840 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-30 23:21 144,085,792 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-30 23:05 1,930,652 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-30 23:05 243,212 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-30 17:03 143,872 a------- c:\windows\system32\jvwfeead.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-14 00:50 67,072 a------- c:\windows\system32\jobobuwi(2).dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2008-09-29 21:39 40,016 a------- c:\docume~1\lisa\applic~1\GDIPFONTCACHEV1.DAT
2004-09-29 11:45 26,525 a----r-- c:\windows\inf\SMC2208.SYS
2008-12-22 18:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122220081223\index.dat

============= FINISH: 23:31:28.09 ===============


The tutorial suggested I provide a kaspersky scan... but I cannot figure out how to get the log. Unless this is it?

not found: virus Heur.Invader (modification) File: c:\documents and settings\lisa\my documents\combofix.exe//PE_Patch.UPX/32788R22FWJFW\catchme.cfexe
deleted: Trojan program Trojan-Clicker.Win32.Delf.cbe File: C:\Qoobox\Quarantine\C\WINDOWS\system32\_jvwfeead_.dll.zip/jvwfeead.dll

(But I don't trust that it actually deleted these files...)

Thank you volunteers of bleepingcomputer for being so kind as to help the computer ignorant like myself! I hope I followed the steps correctly and that it won't be too much of a pain :thumbup2:


Warmest regards,
Lisa

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:12 PM

Posted 14 May 2009 - 09:41 AM

Hello Lisa and welcome to BleepingComputer.com :thumbup2:

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


I am currently looking at your thread and will post back with instructions soon,
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:12 PM

Posted 14 May 2009 - 01:41 PM

Hi,

first of all a warning:
Combofix is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please do not run that tool again without supervision.

To get a better idea of what was already cleaned from your PC and what was originally present on it, I'd like to see the logs from Combofix and Malwarebytes.

The Combofix logfile should be found in C:\combofix.txt, please copy the content of that file to this thread. (if you do not find it, please don't run the tool again. Simply advise me, that the log isn't present),

The Malwarebytes logs can be accessed via Malwarebytes: Open Malwarebytes, select Logs
and doubleclick on the latest logfile. Please paste the content of that log into this thread.

Finally please also post a new DDS-log:
  • Download DDS by sUBs again if you have already deleted from one of the following links. Save it to your desktop.
    DDS.com
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:12 PM

Posted 19 May 2009 - 06:12 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users