Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Computer keeps getting infected with vundo etc

  • This topic is locked This topic is locked
2 replies to this topic

#1 lantaloon


  • Members
  • 2 posts
  • Local time:07:32 PM

Posted 06 June 2009 - 06:56 PM

Hello, I have had this problem for some weeks now. Usually I know how to get rid of malware, but lately I got infected and it keeps coming back no matter what I do.
Whenever I think I got rid of the infection, upon restart, Malwarebytes' Anti-Malware tells me there's 90 infected registry keys (security hijack) and various worms and viruses, always different ones, in different places. I mentioned Vundo in the title, because it appears to be the most frequent, but also koobface and others. Also, my firewall is disabled and I cant change it back. Could someone please look at my logs, that would be so nice. Thanks!

DDS (Ver_09-05-14.01) - NTFSx86
Run by Hannes at 0:29:40,46 on So 07.06.2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.767.356 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Windows Defender\MSASCui.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Dokumente und Einstellungen\Hannes\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
C:\Programme\Malwarebytes' Anti-Malware\mbam.exe
C:\Dokumente und Einstellungen\Hannes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.de/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: {da30eff8-ccc6-4162-a20d-67402a26a215} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\programme\spybot - search & destroy\TeaTimer.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Windows Defender] "c:\programme\windows defender\MSASCui.exe" -hide
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [SpybotSnD] "c:\programme\spybot - search & destroy\SpybotSD.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\programme\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\gemein~1\micros~1\dw\dwtrig20.exe" -t
IE: An vorhandene PDF-Datei anfügen - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\hannes\anwend~1\mozilla\firefox\profiles\9bzcylui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1055551&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\dokumente und einstellungen\hannes\anwendungsdaten\mozilla\firefox\profiles\9bzcylui.default\extensions\{da30eff8-ccc6-4162-a20d-67402a26a215}\components\FFAlert.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\dokumente und einstellungen\hannes\lokale einstellungen\anwendungsdaten\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\programme\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\quicktime\plugins\npqtplugin7.dll

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2009-6-2 11608]
R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2009-5-26 9968]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe [2009-6-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2009-6-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-2 55640]
R2 WinDefend;Windows Defender;c:\programme\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-3 40160]
S1 SASKUTIL;SASKUTIL;\??\c:\programme\supraman\saskutil.sys --> c:\programme\supraman\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\dokumente und einstellungen\hannes\desktop\too\virtualcontrolpanel\vcdrom.sys --> c:\dokumente und einstellungen\hannes\desktop\too\virtualcontrolpanel\VCdRom.sys [?]
S2 DcomLaunchNetDDE;DCOM-Server-Prozessstart DcomLaunchNetDDE;c:\windows\system32\acctresm.exe srv --> c:\windows\system32\acctresm.exe srv [?]
S3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8xx.sys [2005-7-9 446020]
S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 SCR33x USB Smart Card Reader;SCR33x USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2005-8-25 45568]
S3 STC2DFU;STCII DFU Adapter;c:\windows\system32\drivers\Stc2Dfu.sys [2004-10-25 7796]
S4 GNUnet;GNUnet;"c:\programme\gnu\gnunet\bin\gnunetd.exe" --win-service --> c:\programme\gnu\gnunet\bin\gnunetd.exe [?]

=============== Created Last 30 ================

2009-06-06 23:20 61,440 a------- c:\windows\system32\drivers\gbcoekx.sys
2009-06-03 19:30 <DIR> --d----- c:\programme\windows nt
2009-06-03 19:30 <DIR> --d----- c:\programme\msn gaming zone
2009-06-03 17:02 <DIR> --d----- c:\programme\SUPERAntiSpyware
2009-06-03 17:01 <DIR> --d----- c:\programme\gemeinsame dateien\Wise Installation Wizard
2009-06-03 05:50 <DIR> --d----- c:\programme\Spybot - Search & Destroy
2009-06-03 05:09 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 05:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-03 05:09 <DIR> --d----- c:\programme\Malwarebytes' Anti-Malware
2009-06-03 01:24 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-02 22:47 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-02 22:47 <DIR> --d----- c:\programme\Avira
2009-06-02 22:47 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Avira
2009-05-26 18:45 <DIR> --d----- c:\dokume~1\hannes\anwend~1\Uniblue
2009-05-26 18:32 <DIR> --dsh--- c:\dokumente und einstellungen\hannes\IECompatCache
2009-05-25 01:10 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\SecTaskMan
2009-05-23 04:42 <DIR> --d----- c:\dokumente und einstellungen\hannes\.housecall6.6
2009-05-22 18:55 <DIR> --dsh--- c:\dokumente und einstellungen\hannes\PrivacIE
2009-05-22 18:51 <DIR> --dsh--- c:\dokumente und einstellungen\hannes\IETldCache
2009-05-22 18:44 <DIR> -cd-h--- c:\windows\ie8
2009-05-22 17:04 <DIR> --d----- c:\programme\Sas
2009-05-22 01:38 0 a------- c:\windows\system32\_id.dat
2009-05-20 02:23 100 a--s---- c:\windows\system32\3224537453.dat

==================== Find3M ====================

2009-05-05 14:36 459,270 a------- c:\windows\system32\perfh007.dat
2009-05-05 14:36 84,686 a------- c:\windows\system32\perfc007.dat
2009-03-27 16:37 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-27 16:37 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-03-17 23:02 604 ac--h--- c:\programme\STLL Notifier
2001-11-23 06:08 712,704 ac------ c:\windows\inf\other\AUDIO3D.DLL
2008-11-12 09:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\lokale einstellungen\verlauf\history.ie5\mshist012008111220081113\index.dat

============= FINISH: 0:30:47,62 ===============

Attached Files

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:32 AM

Posted 17 June 2009 - 12:32 AM

Hello and welcome to Bleeping Computer. Sorry for the delay the forums here at BC are always
very busy and we do are best to keep up. If you no longer require any help could you let me no
please, so this topic can be closed.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
First I would like to see a new log since alot could have changed since your origional post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:32 AM

Posted 21 June 2009 - 08:35 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users