Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a myriad of things: Vundo, Ertfor, Zlob, etc.


  • This topic is locked This topic is locked
2 replies to this topic

#1 invivo

invivo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 13 July 2009 - 01:16 AM

Hello,

a friend's computer recently was infected with some really bad malware that changed the wallpaper, disabled .exes, etc. After running a slew of programs (SAS, Spybot, MBAM, AdAware, etc.), I was able to get rid of the worst parts of the malware. What was alarming about the scans was that there were many different things that were detected depending on which programs were used. I'm not convinced that her system is totally clean, so would appreciate if somebody could take a look at the logs to completely disinfect her system. Thanks!


DDS (Ver_09-06-26.01) - FAT32x86
Run by jb at 22:47:08.26 on Sun 07/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1459 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = *.local
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166261469156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janice~1\applic~1\mozilla\firefox\profiles\k34lom4g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: network.proxy.type - 2
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-10 64160]
S1 SASDIFSV;SASDIFSV;\??\f:\superantispyware\sasdifsv.sys --> f:\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\f:\superantispyware\saskutil.sys --> f:\superantispyware\SASKUTIL.sys [?]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 SASENUM;SASENUM;\??\f:\superantispyware\sasenum.sys --> f:\superantispyware\SASENUM.SYS [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-07-12 22:42 454,912 a------- c:\windows\system32\dllcache\fxusbase.sys
2009-07-12 22:42 92,160 a------- c:\windows\system32\dllcache\fuusd.dll
2009-07-12 22:41 455,296 a------- c:\windows\system32\dllcache\fusbbase.sys
2009-07-12 22:41 455,680 a------- c:\windows\system32\dllcache\fus2base.sys
2009-07-12 22:41 442,240 a------- c:\windows\system32\dllcache\fpnpbase.sys
2009-07-12 22:41 441,728 a------- c:\windows\system32\dllcache\fpcmbase.sys
2009-07-12 22:41 444,416 a------- c:\windows\system32\dllcache\fpcibase.sys
2009-07-12 22:41 34,173 a------- c:\windows\system32\dllcache\forehe.sys
2009-07-12 22:41 71,680 a------- c:\windows\system32\dllcache\fnfilter.dll
2009-07-12 22:41 27,165 a------- c:\windows\system32\dllcache\fetnd5.sys
2009-07-12 22:41 22,090 a------- c:\windows\system32\dllcache\fem556n5.sys
2009-07-12 22:40 24,618 a------- c:\windows\system32\dllcache\fa410nd5.sys
2009-07-12 22:40 16,074 a------- c:\windows\system32\dllcache\fa312nd5.sys
2009-07-12 22:40 11,850 a------- c:\windows\system32\dllcache\f3ab18xj.sys
2009-07-12 22:40 12,362 a------- c:\windows\system32\dllcache\f3ab18xi.sys
2009-07-12 22:40 7,040 a------- c:\windows\system32\dllcache\exabyte2.sys
2009-07-12 22:40 16,998 a------- c:\windows\system32\dllcache\ex10.sys
2009-07-12 22:40 45,568 a------- c:\windows\system32\dllcache\esunib.dll
2009-07-12 22:40 45,568 a------- c:\windows\system32\dllcache\esuni.dll
2009-07-12 22:40 34,816 a------- c:\windows\system32\dllcache\esuimg.dll
2009-07-12 22:40 137,088 a------- c:\windows\system32\dllcache\essm2e.sys
2009-07-12 22:40 43,008 a------- c:\windows\system32\dllcache\esucm.dll
2009-07-12 22:40 63,360 a------- c:\windows\system32\dllcache\ess.sys
2009-07-12 22:38 144,896 a------- c:\windows\system32\dllcache\epcfw2k.sys
2009-07-12 22:37 44,103 a------- c:\windows\system32\dllcache\el515.sys
2009-07-12 22:36 952,007 a------- c:\windows\system32\dllcache\diwan.sys
2009-07-12 22:35 65,622 a------- c:\windows\system32\dllcache\digiasyn.dll
2009-07-12 22:34 50,176 a------- c:\windows\system32\dllcache\cyyport.sys
2009-07-12 22:33 44,032 a------- c:\windows\system32\dllcache\cnusd.dll
2009-07-12 22:32 164,923 a------- c:\windows\system32\dllcache\diapi2.sys
2009-07-12 22:31 3,968 a------- c:\windows\system32\dllcache\brfiltup.sys
2009-07-12 22:30 63,488 a------- c:\windows\system32\dllcache\atinxsxx.sys
2009-07-12 22:29 3,775 a------- c:\windows\system32\dllcache\adv11nt5.dll
2009-07-12 22:28 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-07-12 22:27 <DIR> --dsh--- C:\Recycled
2009-07-11 13:03 <DIR> --d----- c:\docume~1\janice~1\applic~1\Auslogics
2009-07-11 13:03 <DIR> --d----- c:\program files\Auslogics
2009-07-11 12:52 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-11 12:43 <DIR> a-dshr-- C:\cmdcons
2009-07-11 12:42 161,792 a------- c:\windows\SWREG.exe
2009-07-11 12:42 155,136 a------- c:\windows\PEV.exe
2009-07-11 12:42 98,816 a------- c:\windows\sed.exe
2009-07-11 09:06 979,005 a------- c:\documents and settings\jb\python23.dll
2009-07-11 09:06 24,576 a------- c:\documents and settings\jb\pyrun.exe
2009-07-11 09:06 23,040 a------- c:\documents and settings\jb\pylauncher.exe
2009-07-11 09:06 <DIR> --d----- c:\documents and settings\jb\winboot
2009-07-11 09:06 <DIR> --d----- c:\documents and settings\jb\translations
2009-07-11 09:06 <DIR> --d----- c:\documents and settings\jb\lib
2009-07-11 09:06 <DIR> --d----- c:\documents and settings\jb\data
2009-07-11 09:06 <DIR> --d----- c:\documents and settings\jb\bin
2009-07-10 20:43 <DIR> --d----- c:\windows\pss
2009-07-10 08:23 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-10 08:17 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-10 08:16 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 08:16 <DIR> --d----- c:\program files\Lavasoft
2009-07-09 22:40 <DIR> --d----- c:\program files\CCleaner
2009-07-09 16:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-08 22:12 570 a------- c:\windows\wininit.ini
2009-07-08 21:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-08 21:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-08 20:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-08 20:50 <DIR> --d----- c:\docume~1\janice~1\applic~1\SUPERAntiSpyware.com
2009-07-08 20:38 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-08 17:22 <DIR> --d----- c:\docume~1\janice~1\applic~1\Malwarebytes
2009-07-08 17:22 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-08 17:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 17:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 23:15 <DIR> --dsh--- c:\windows\System Volume Information
2009-07-06 23:15 2 a------- C:\1559282400
2009-07-06 23:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\15797654

==================== Find3M ====================

2009-07-09 22:27 4 ----h--- c:\windows\fonts\mlog
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 21:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-28 21:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 21:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 21:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-28 21:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-28 21:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 21:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 02:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 22:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 08:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:26 583,168 a------- c:\windows\system32\dllcache\rpcrt4.dll

============= FINISH: 22:47:43.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:40 PM

Posted 23 July 2009 - 10:22 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:40 PM

Posted 28 July 2009 - 03:34 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users