Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Vundo and possibly more


  • This topic is locked This topic is locked
2 replies to this topic

#1 Crash Jupiter

Crash Jupiter

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 20 September 2009 - 08:21 PM

This virus was caught by AVG, and I want to believe that Spybot S&D stopped the registry changes, but I'm not sure. Using AVG and Avira haven't gotten rid of it, despite moving it "to the virus vault".

Here are my DDS logs. I attempted to run RootRepeal, but after 8 tries so far, I haven't gotten a report. The computer freezes up almost entirely, with movements of the mouse suddenly being registered all at once every 10 minutes or so. The longest I've gone with it running is 90 minutes and that ended with the Bluescreen.

So far, the virus hasn't seemed to affect functionality, other than throwing up a few new windows full of ads in Firefox. This, of course, makes me suspicious that it's simply doing things that I can't see and I don't want my passwords or anything heading down to anyone else. I've refrained from logging in to most things, especially my online banking.

Any help would be much appreciated. Thanks!

EDIT TO ADD: I ran AVG one more time, just to make sure it was still there. At the exact same moment, AVG and Avira popped up about "C:\WINDOWS\system32\kewowupa.exe". Avira says "TR/Crypt.ZPACK.Gen Trojan" and AVG says "Generic14.AZYX".





DDS (Ver_09-07-30.01) - NTFSx86
Run by Crash at 23:49:35.09 on Sat 09/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1384 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\MOUSES~1.2\wh_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Crash.CRASH-A2075BEFE\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uRun: [DW4]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\crash.crash-a2075befe\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WheelMouse] c:\mouses~1.2\wh_exec.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users.windows\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\gesiwoha.dll,yapafeju.dll
SSODL: rabihebur - {fec4b1e9-4e1e-4a27-8295-9d974c5421c4} - c:\windows\system32\gesiwoha.dll
STS: tokatiluy: {fec4b1e9-4e1e-4a27-8295-9d974c5421c4} - c:\windows\system32\gesiwoha.dll
LSA: Notification Packages = scecli buzalevu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\crash~1.cra\applic~1\mozilla\firefox\profiles\8pxbjty6.default\
FF - prefs.js: browser.startup.homepage - hxxp://cstuck.livejournal.com/friends/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\crash.crash-a2075befe\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\crash.crash-a2075befe\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-19 206256]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-9-19 11608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-22 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-22 108552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-19 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-9-19 185089]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-18 297752]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-19 55656]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\drivers\whmice2k.sys [2004-4-25 6885]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [2008-1-23 5824]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-19 38224]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2008-2-1 15104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-19 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-19 1097096]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-1-25 6784]

=============== Created Last 30 ================

2009-09-19 23:18 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-19 23:18 <DIR> --d----- c:\program files\Avira
2009-09-19 23:18 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Avira
2009-09-19 22:31 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-19 22:30 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-19 22:30 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-19 22:30 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-19 22:30 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-19 22:30 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-19 22:30 <DIR> --d----- c:\program files\Spyware Doctor
2009-09-19 22:30 <DIR> --d----- c:\docume~1\crash~1.cra\applic~1\PC Tools
2009-09-19 22:30 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\PC Tools
2009-09-19 22:30 1,081,616 a------- c:\windows\system32\MSCOMCTL.OCX
2009-09-19 22:17 <DIR> --d----- c:\docume~1\crash~1.cra\applic~1\Malwarebytes
2009-09-19 22:17 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 22:17 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-19 22:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 22:17 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-09-18 16:54 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\10897964
2009-09-17 06:59 25,088 a------- c:\windows\system32\tftp.msc
2009-09-09 03:48 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-08-29 01:46 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Blizzard Entertainment
2009-08-28 22:10 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-28 17:36 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Blizzard

==================== Find3M ====================

2009-09-18 16:53 983,076 a--sh--- c:\windows\system32\kewowupa.exe
2009-08-18 16:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-18 16:56 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 10:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 10:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 02:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 02:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 02:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 02:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 02:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 02:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 15:36 265,797 a------- c:\windows\system32\pdvcodec.dll
2008-12-11 15:00 1,355 a------- c:\docume~1\crash~1.cra\applic~1\SAS7_000.DAT

============= FINISH: 23:50:49.72 ===============

Attached Files


Edited by Crash Jupiter, 20 September 2009 - 09:43 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:03 AM

Posted 08 October 2009 - 05:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:03 AM

Posted 14 October 2009 - 12:57 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users