Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • Please log in to reply
1 reply to this topic

#1 Nero113

Nero113

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 09 May 2009 - 10:53 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by matt at 22:40:44.51 on Sat 05/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.782 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
Trusted Zone: att.net
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer = 85.255.112.207,85.255.112.210
TCP: {2285B787-73F8-4D15-8D9C-97BCD3C7C81E} = 85.255.112.207,85.255.112.210
TCP: {874BFA68-DE09-4384-89D6-371B6C4B0C49} = 85.255.112.207,85.255.112.210
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\34ciwlm3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-7 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-7 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-7 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-7 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-7 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-6 24652]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;c:\windows\system32\drivers\m4cxw2k3.sys [2007-2-15 250752]

=============== Created Last 30 ================

2009-05-09 10:43 <DIR> --d----- c:\program files\CCleaner
2009-05-09 00:36 <DIR> --d----- c:\docume~1\matt\applic~1\The Path
2009-05-08 23:20 <DIR> --dsh--- c:\documents and settings\matt\IECompatCache
2009-05-03 12:58 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-04-28 13:27 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-04-28 13:23 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-22 07:00 <DIR> --d----- c:\windows\system32\KB905474
2009-04-14 18:28 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:28 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:28 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 18:28 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:28 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:28 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:28 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:28 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:28 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 18:26 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 18:26 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-12 20:46 96 a---h--- c:\windows\system32\HsInfo.dat
2009-04-12 20:39 <DIR> --d----- c:\program files\alaplaya
2009-04-12 01:23 <DIR> --d----- c:\program files\illusion
2009-04-11 04:24 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-04-11 04:17 <DIR> --d----- c:\windows\Logs
2009-04-10 22:52 <DIR> --d----- c:\docume~1\matt\applic~1\BitTorrent
2009-04-10 22:51 <DIR> --d----- c:\program files\DNA
2009-04-10 22:51 <DIR> --d----- c:\program files\BitTorrent
2009-04-10 22:51 <DIR> --d----- c:\docume~1\matt\applic~1\DNA

==================== Find3M ====================

2009-04-07 00:32 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-07 00:32 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-07 00:32 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-06 21:24 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-04 21:42 7,012,546 -------- c:\program files\HomePlug_drv.zip
2009-04-04 21:42 801,562 -------- c:\program files\MS6848E_R1060.zip
2009-04-04 21:40 801,562 -------- c:\program files\msi software.zip
2009-04-04 21:39 1,034,267 -------- c:\program files\msi firmware.zip
2009-04-04 21:38 2,644,126 -------- c:\program files\6822_print_drv.zip
2009-04-04 21:38 13,919,269 -------- c:\program files\WLAN_Software_4.0.10.16.zip
2009-04-04 21:36 14,363,415 -------- c:\program files\WLAN_software_V4.0.15.23.zip
2009-04-04 21:33 14,715,723 -------- c:\program files\MSI_WLAN_Software4.1.16.26.zip
2009-04-04 20:58 392 -------- c:\program files\Local Area Connection.lnk
2009-04-04 19:02 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-25 16:42 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-25 16:41 325,120 a------- c:\windows\system32\ati2dvag.dll
2009-02-25 16:30 11,841,536 a------- c:\windows\system32\atioglxx.dll
2009-02-25 16:30 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-02-25 16:29 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-25 16:29 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-25 16:29 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-25 16:29 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-25 16:27 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-25 16:26 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-25 16:16 3,817,984 a------- c:\windows\system32\ati3duag.dll
2009-02-25 16:09 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-25 15:59 2,670,080 a------- c:\windows\system32\ativvaxx.dll
2009-02-25 15:58 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-02-25 15:58 887,724 a------- c:\windows\system32\ativva6x.dat
2009-02-25 15:44 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-25 15:40 475,136 a------- c:\windows\system32\atikvmag.dll
2009-02-25 15:38 126,976 a------- c:\windows\system32\atiadlxx.dll
2009-02-25 15:38 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-25 15:35 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-25 15:32 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-25 15:32 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-25 15:32 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-25 15:30 3,227,648 a------- c:\windows\system32\aticaldd.dll
2009-02-25 15:15 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys

============= FINISH: 22:41:26.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 24 May 2009 - 01:49 AM

Hello Nero113,

If you have resolved your issues already, or, if you are being helped elsewhere, let me know.
Otherwise if you want help here, please do the following.

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

>

Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
=

Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTListIt2 by clicking the X at top right.
Download Security Check by screen317 and save it to your Desktop: here or here
  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):
  • copy of the MBAM scan log,
  • copy of the Eset scan log,
  • the contents of OTListIt.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 24 May 2009 - 01:51 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users