Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plenty 'o infections - Vundo? Something else?


  • This topic is locked This topic is locked
3 replies to this topic

#1 neksys

neksys

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 19 May 2009 - 09:21 PM

Symptoms: Google redirects. As I'm typing this, TeaTimer has noted an attempt to rundll32.exe "protect.dll" and "autochk.dll" This has happened previous and been cleaned for a couple of days.

Attempted pretty well everything I have (Spybot Search & Destroy - which sometimes crashed, Malwarebytes - which keeps finding new things, Spyware Doctor - samething). Vundofix doesn't find anything. Spyware Doctor sometimes only runs for a couple of thousand files then quits. saying everything is clean.

Vundo seems to be the main infection, with dialers adding new junk at every turn. Just when I think I have this thing beat, I end up getting a flare-up again.

I'm posting my DDS logs - but be aware that HJT returns different problems almost from scan to scan:

***************
DDS (Ver_09-05-14.01) - NTFSx86
Run by Greg at 19:06:32.06 on Tue 05/19/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1381 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Greg\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A6C7B2A1-00F3-42BD-F434-00AABA2C8953} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\greg\startm~1\programs\startup\impuls~1.lnk - c:\program files\stardock\impulse\now\ImpulseNow.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157219951968
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171406247640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {0CCB7673-04D5-4DE7-916B-384A3642BAF4} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awttuutr
LSA: Notification Packages = scecli c:\windows\system32\yijazowi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\greg\applic~1\mozilla\firefox\profiles\cfpjl7h7.greg new\
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-6-9 39472]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-14 130936]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-14 11608]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-6-8 179584]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-6-8 49536]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-13 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-13 55024]
R1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [2006-11-10 24064]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-1-26 8576]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-14 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-14 55640]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2009-4-17 355840]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-14 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-14 1095560]
S0 eztwa;eztwa; [x]
S0 uphwugmx;uphwugmx; [x]
S1 TVicPort64;TVicPort64;\??\c:\windows\syswow64\drivers\tvicport64.sys --> c:\windows\syswow64\drivers\TVicPort64.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ICam7fil;Intel® CS431 Audio Filter Driver;c:\windows\system32\drivers\icam7fil.sys [2006-9-25 19640]
S3 Icam7USB;Intel® PC Camera CS431;c:\windows\system32\drivers\ICAM7D2.SYS [2006-9-25 158848]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-15 38496]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]
S3 SVRPEDRV;SVRPEDRV;\??\c:\docume~1\greg\locals~1\temp\rarsfx0\s10vwf\pedrv.sys --> c:\docume~1\greg\locals~1\temp\rarsfx0\s10vwf\PEDrv.sys [?]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-14 185089]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-9-28 2560]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

=============== Created Last 30 ================

2009-05-19 18:29 <DIR> --d----- C:\VundoFix Backups
2009-05-19 16:51 2,156,625 a------- C:\backup.dpb
2009-05-19 16:51 2,090,967 a------- C:\backup.dpb.bak
2009-05-19 16:08 <DIR> --d----- c:\docume~1\greg\applic~1\DVD Profiler
2009-05-19 16:07 <DIR> --d----- c:\program files\DVD Profiler
2009-05-18 23:48 43 a------- C:\xcrashdump.dat
2009-05-18 23:46 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-15 01:19 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-05-15 00:15 <DIR> --d----- c:\docume~1\greg\applic~1\Malwarebytes
2009-05-15 00:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 00:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 00:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-15 00:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-14 23:39 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-14 23:39 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-14 23:39 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-14 23:39 <DIR> --d----- c:\docume~1\greg\applic~1\PC Tools
2009-05-14 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-14 20:14 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-14 20:14 <DIR> --d----- c:\program files\Avira
2009-05-14 20:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-13 01:31 <DIR> --d----- c:\docume~1\greg\applic~1\Obsidium
2009-05-11 19:03 <DIR> --d----- c:\docume~1\greg\applic~1\Personal Video Database
2009-05-11 19:03 <DIR> --d----- c:\program files\Personal Video Database
2009-05-02 00:48 147,456 a------- c:\windows\system32\igfxCoIn_v4926.dll
2009-05-02 00:46 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-04-29 12:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kalypso
2009-04-28 22:37 <DIR> --d----- c:\docume~1\greg\applic~1\Stardock
2009-04-28 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Stardock
2009-04-28 22:36 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{1E77E486-38CF-4688-B1E4-B86D08856D09}

==================== Find3M ====================

2009-05-19 18:53 16,140 a------- c:\windows\system32\tablet.dat
2009-05-14 23:40 389,120 a------- c:\windows\system32\CF17570.exe
2009-05-14 22:53 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-03 11:18 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-12-07 23:35 24,192 a------- c:\documents and settings\greg\usbsermptxp.sys
2008-12-07 23:35 22,768 a------- c:\documents and settings\greg\usbsermpt.sys
2008-09-03 19:50 81,920 a------- c:\docume~1\greg\applic~1\ezpinst.exe
2008-09-03 19:50 47,360 a------- c:\docume~1\greg\applic~1\pcouffin.sys
2008-04-01 21:12 87,608 a------- c:\docume~1\greg\applic~1\inst.exe
2007-12-05 17:13 1,024 a------- c:\docume~1\alluse~1\applic~1\imgpdf2.dll
2006-11-25 22:09 79,328 a------- c:\documents and settings\greg\mqdmserd.sys
2006-11-25 22:09 5,936 a------- c:\documents and settings\greg\mqdmwhnt.sys
2006-11-25 22:09 92,064 a------- c:\documents and settings\greg\mqdmmdm.sys
2006-11-25 22:09 66,656 a------- c:\documents and settings\greg\mqdmbus.sys
2006-11-25 22:09 9,232 a------- c:\documents and settings\greg\mqdmmdfl.sys
2006-11-25 22:09 6,208 a------- c:\documents and settings\greg\mqdmcmnt.sys
2006-11-25 22:09 4,048 a------- c:\documents and settings\greg\mqdmcr.sys

============= FINISH: 19:07:01.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:36 PM

Posted 22 May 2009 - 05:04 PM

Hello neksys,

If you still need help then download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Select Files and Folders created in last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
    info.txt can also be found at c:\RSIT\info.txt

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 neksys

neksys
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 22 May 2009 - 05:13 PM

Hello neksys,

If you still need help then download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Select Files and Folders created in last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
    info.txt can also be found at c:\RSIT\info.txt


Hi SifuMike,

Thank you for your reply. After many days of battling this beast I think I finally got it beat. I ended up using Panda Cloud Anti-Virus, which detected infected files all of the other tools did not. Panda did not remove them, but once I found the root of the infection, there are plenty of other tools available to do just that. So far so good - three days now with no sign of infection under any scan in any tool!

This topic can be closed, I suppose. You and the other experts might consider looking at the Panda Cloud software - it is sorely lacking in the removal department (I'd never recommend it as a standalone ant-virus solution), but in terms of detection I found it very useful.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:36 PM

Posted 22 May 2009 - 05:19 PM

Glad to hear you got it sorted out. :thumbup2:

Since you having no problems, I will close this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users