Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware / Virus, Very persistent!


  • This topic is locked This topic is locked
2 replies to this topic

#1 northwest_trail

northwest_trail

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 18 May 2009 - 11:52 PM

Hello,

I've been trying to rid myself of this one for some time. Using a combination of Malwarebytes and Sophos I've tried hard, and was able to remove it for several days, at which point it came back with a vengence. I did this DDS scan as soon as I realized it had come back, without taking any additional removal steps. Something is being left behind...

Malwarebytes finds the following: Trojan.Zlob.H, Trojan.Agent, Trojan.Vundo, Malware.Trace, Trojan.Downloader, Virus.Virut, Hijack.Regedit, Hijack.FolderOptions

I've also tried vundofix, which wasn't helpful. I've tried turning off system restore, booting into safe mode, and running all removal software. Nothing has been able to completely rid me of this.

Thanks in advance for your help, it is very much appreciated.

Below is the DDS log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Trevor Hodges at 21:41:00.20 on Mon 05/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://esupport.sony.com/EN/info/vaioupd/noupdates.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\had732ufn8.dll: {a6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had732ufn8.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Diagnostic Manager] c:\docume~1\trevor~1\locals~1\temp\132433674.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [SYS32DLL] SYS32DLL
dRun: [A00F1541D9F3.exe] c:\windows\temp\_A00F1541D9F3.exe
dRun: [<NO NAME>] c:\windows\temp\tk9oe37uw.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\tk9oe37uw.exe
dRun: [Diagnostic Manager] c:\windows\temp\173683674.exe
StartupFolder: c:\docume~1\trevor~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\trevor~1\startm~1\programs\startup\autoru~1\monito~1.lnk - c:\program files\apache software

foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobea~1.lnk -

c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
Notify: __c004BC4 - c:\windows\system32\__c004BC4.dat
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\sophos\sophos~1\sophos~1.dll c:\progra~1\google\google~1\GOEC62~1.DLL
STS: c:\windows\system32\had732ufn8.dll: {a6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had732ufn8.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\trevor~1\applic~1\mozilla\firefox\profiles\ohhh2ew5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.steepandcheap.com/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2009-05-18 21:26 46 a------- c:\windows\system32\p2hhr.bat
2009-05-18 21:26 20,480 a------- c:\windows\system32\ak1.exe
2009-05-18 21:26 15,000 a------- c:\windows\system32\had732ufn8.dll
2009-05-18 21:11 28,160 a------- c:\windows\system32\__c004BC4.dat
2009-05-18 21:11 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-14 18:40 <DIR> --d----- C:\DVRK16
2009-05-07 22:39 <DIR> --d----- c:\program files\Exterminate It!
2009-05-07 06:39 <DIR> --d----- c:\windows\system32\796525
2009-04-22 22:28 <DIR> --d----- c:\docume~1\trevor~1\applic~1\Malwarebytes
2009-04-22 22:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-22 22:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 22:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-22 22:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-07 20:33 32 a------- c:\windows\system32\drivers\mshcmd.sys.
2009-04-15 19:50 656 a------- c:\windows\system32\drivers\AFB4FC49.bin
2009-04-09 23:09 177,152 a------- c:\windows\system32\drivers\XRNBO.sys
2009-03-23 09:13 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2007-08-07 22:34 13,372 ac------ c:\program files\settings.ini
2008-07-17 22:56 608 a--sh--- c:\windows\system32\winzvprt5.sys

============= FINISH: 21:41:38.95 ===============

Attached Files


Edited by northwest_trail, 18 May 2009 - 11:52 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:28 PM

Posted 23 May 2009 - 09:52 PM

Hello northwest_trail,


I've tried turning off system restore


Please turn system restore on. Do NOT start your fix by disabling System Restore.
This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points.
Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running.

Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.

Are you a Java programer? Do you use Java DB or the Java Developemnt Kit in your work?
If not, then uninstall these:
Java DB 10.4.1.3
Java™ SE Development Kit 6 Update 12


Uninstall these old versions of Java, as they are malware magnets.
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1




Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Please post the Malwarebytes log so I can see what is is finding.

Edited by SifuMike, 23 May 2009 - 10:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:28 PM

Posted 30 May 2009 - 01:36 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users