Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundu.H (?) infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 KSADrew

KSADrew

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 21 September 2009 - 04:14 PM

I have a client who had a malware infection for Windows Police Pro. I spent some time using Symantec Endpoint Protection & Malwarebytes Antimalware to clean the system, and CCCleaner to check for registry errors. I have finally gotten the system clean and all infected files have been removed. All registry entries related to Windows Police Pro have been dealt with, and the system is no longer giving my user that annoying fake pop up.

However, whenever a .exe file runs, the user gets the following: "The application or DLL globalroot\systemroot\system32\gasfkyhqyurkuy.dll is not a vaild Windows image. Please check this against your installation diskette." I have searched online for this particular dll, but there's nothing on Google or Bing. This dll dopes not show in the registry, and there's no visible dll anywhere on the system that matches that name. I am unable to determine why all executables are being routed through this dll before starting their programs. I would appreciate some help in diagnosing the HJT log.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Tarney at 14:36:11.35 on Mon 09/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.130 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AT&TGL~1\netcfgsvr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ORBITS\PDA\ONGSync.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\orant\BIN\ifrun60.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NetSP - restore settings on power failure] "c:\program files\at&tgl~1\NetSP.exe" -show
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Mailstation Assistant] c:\program files\pitney bowes\mailstation 2\mailstationAssistant minimize
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbits~1.lnk - c:\program files\orbits\pda\ONGSync.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196952777410
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli zelayira.dll

============= SERVICES / DRIVERS ===============

R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2004-4-29 19328]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-12-6 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-12-6 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-12-6 2177464]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [2007-9-21 218368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090920.019\NAVENG.SYS [2009-9-21 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090920.019\NAVEX15.SYS [2009-9-21 1323568]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2003-4-4 11392]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-12-6 23888]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2008-12-12 20600]
S3 OracleClientCache80;OracleClientCache80;c:\orant\bin\ONRSD80.EXE [2005-8-4 101136]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2009-09-21 12:47 <DIR> --dsh--- c:\documents and settings\tarney\IECompatCache
2009-09-21 12:19 <DIR> --d----- c:\program files\CCleaner
2009-09-21 10:06 <DIR> a-d----- c:\windows\system32\images
2009-09-18 08:52 <DIR> --d----- c:\docume~1\tarney\applic~1\Malwarebytes
2009-09-18 08:52 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 08:52 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-18 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-18 08:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 11:30 <DIR> --d----- C:\SNFPRC090
2009-09-16 08:29 <DIR> --dsh--- c:\documents and settings\tarney\PrivacIE
2009-09-16 08:07 <DIR> --dsh--- c:\documents and settings\tarney\IETldCache
2009-09-16 08:03 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-09-16 08:02 <DIR> --d----- c:\windows\ie8updates
2009-09-16 08:01 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-09-16 08:01 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-09-16 07:56 <DIR> -cd-h--- c:\windows\ie8
2009-09-09 17:28 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-21 08:01 49,152 a--sh--- c:\windows\system32\zozelemu.dll
2009-09-20 20:01 983,076 a--sh--- c:\windows\system32\zatarozu.exe
2009-09-20 20:01 38,400 a--sh--- c:\windows\system32\lupeyoyu.dll
2009-09-20 08:00 38,400 a--sh--- c:\windows\system32\zagimime.dll
2009-09-19 19:30 983,076 a--sh--- c:\windows\system32\hulayoba.exe
2009-09-19 19:30 91,136 a--sh--- c:\windows\system32\vuzasufa.dll
2009-09-19 07:30 983,076 a--sh--- c:\windows\system32\sonumiwo.exe
2009-09-18 19:30 983,076 a--sh--- c:\windows\system32\gofadadi.exe
2009-09-18 19:30 39,424 a--sh--- c:\windows\system32\wagisevu.dll
2009-09-18 07:29 39,424 a--sh--- c:\windows\system32\movojabo.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 11:12 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-20 08:00 983,076 a--sh--- c:\windows\system32\jifokija.exe

============= FINISH: 14:37:59.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 PM

Posted 08 October 2009 - 07:16 AM

Hello KSADrew

Welcome to Welcome to BleepingComputer :(
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 KSADrew

KSADrew
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 09 October 2009 - 07:20 AM

Oddly enough, I made contact with the client recently, and all references and recurrences of the offending dll issue are gone.

the client also advises that she hasn't had any mal-ware/scare-ware infections since my last visit. Client had been streaming music from a site, slacker.com. Since she's stopped visiting that site, she has not gotten the scare-ware adds again.

Thanks for looking into this, but there isn't much more to pursue.

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 PM

Posted 09 October 2009 - 07:39 AM

You are welcome :(


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :(

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users