Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Anti Virus System Pro, possible other trojans


  • This topic is locked This topic is locked
2 replies to this topic

#1 brishen

brishen

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 27 November 2009 - 04:47 AM

My sister said that this AM she started getting pop-ups from Anti Virus System Pro (not sure what she did. A norton scan pulled up multiple Vundo infections and some other stuff (not sure, sorry).) For most of the evening I was unable to boot her computer in anything but Safe Mode. When I got into Norton from Safe mode I deleted what was found, ran the Vundo fix and after she was at least able to boot normally. There are still issues I think, seeing as Malware bytes refuses to run, even after changing the file name, etc...right now I'm controlling her computer remotely in an attempt to fix the issues. Any help would be greatly appreciated. From what I can tell her system is a mess (she inherited this laptop from a roomate, so who knows what was on to begin with).
Attached File  Attach.txt   6.64KB   1 downloads

DDS (Ver_09-11-24.02) - NTFSx86
Run by Owner at 3:41:25.34 on Fri 11/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.483 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Remote Control PC\apc_host.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://search.bearshare.com/
uInternet Connection Wizard,ShellNext = hxxp://www.symantecstore.com/promo=46806
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [mituzolej] Rundll32.exe "c:\windows\system32\ripagupa.dll",a
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\ripagupa.dll,dehodeye.dll
SSODL: jokowerej - {48daa876-cc95-4715-a45f-e0c2df9099ef} - c:\windows\system32\javinete.dll
SSODL: papazayik - {b2968211-6f96-4c5d-b46f-745b1a1d9438} - c:\windows\system32\sokodewu.dll
SSODL: bamolidur - {aca7e658-f675-4d8d-9337-56d875d94597} - c:\windows\system32\kusawezu.dll
SSODL: katoyihek - {ff34339f-14e3-451d-972c-64d415bff1d4} - c:\windows\system32\sokodewu.dll
SSODL: yayibulit - {20f9c188-0355-4262-9704-effdbca08c43} - c:\windows\system32\zabeyeyu.dll
SSODL: rabidized - {f32600c7-4673-485e-b53e-132341724838} - c:\windows\system32\ripagupa.dll
STS: jugezatag: {48daa876-cc95-4715-a45f-e0c2df9099ef} - c:\windows\system32\javinete.dll
STS: tokatiluy: {b2968211-6f96-4c5d-b46f-745b1a1d9438} - c:\windows\system32\sokodewu.dll
STS: tokatiluy: {aca7e658-f675-4d8d-9337-56d875d94597} - c:\windows\system32\kusawezu.dll
STS: tokatiluy: {ff34339f-14e3-451d-972c-64d415bff1d4} - c:\windows\system32\sokodewu.dll
STS: tokatiluy: {20f9c188-0355-4262-9704-effdbca08c43} - c:\windows\system32\zabeyeyu.dll
STS: tokatiluy: {f32600c7-4673-485e-b53e-132341724838} - c:\windows\system32\ripagupa.dll
LSA: Notification Packages = scecli huzisopo.dll vijidebo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\396pmpbq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://bsaves.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-13 102448]
S2 gupdate1ca4d06bbeba7aa;Google Update Service (gupdate1ca4d06bbeba7aa);c:\program files\google\update\GoogleUpdate.exe [2009-10-14 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-6-1 23888]

=============== Created Last 30 ================

2009-11-27 07:41:13 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-11-27 07:41:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-27 07:41:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-27 07:41:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-27 07:40:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 07:21:56 0 d-----w- c:\program files\Remote Control PC
2009-11-27 07:21:56 0 d-----w- c:\documents and settings\all users\Remote Control PC
2009-11-27 04:10:02 0 d-----w- c:\program files\Trend Micro
2009-11-27 04:08:49 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-11 14:57:58 1 --sh--w- c:\windows\system32\jayamuja.dll
2009-11-10 12:31:08 1 --sh--w- c:\windows\system32\vejuyabe.dll
2009-11-10 12:31:05 1 --sh--w- c:\windows\system32\vazibito.dll
2009-11-10 12:08:26 1 --sh--w- c:\windows\system32\zevoyula.dll
2009-11-10 12:08:25 1 --sh--w- c:\windows\system32\diduneso.dll
2009-11-10 11:45:40 1 --sh--w- c:\windows\system32\zulejiso.dll
2009-11-10 11:45:40 1 --sh--w- c:\windows\system32\zogumola.dll
2009-11-10 11:45:40 1 --sh--w- c:\windows\system32\lifabopu.dll
2009-11-09 23:39:25 1 --sh--w- c:\windows\system32\yozalamo.dll
2009-11-09 23:39:23 1 --sh--w- c:\windows\system32\pelawohi.dll
2009-11-09 23:39:21 1 --sh--w- c:\windows\system32\wivamobo.dll

==================== Find3M ====================

2009-10-16 14:14:49 10573 ----a-w- c:\docume~1\alluse~1\applic~1\dulebux.exe
2009-10-15 23:09:06 14427 ----a-w- c:\docume~1\alluse~1\applic~1\hoqugiv.dat
2009-10-15 23:09:06 11070 ----a-w- c:\windows\cocupuj.exe
2009-10-15 23:09:05 12312 ----a-w- c:\docume~1\owner\applic~1\omujicydir.exe
2009-10-15 23:09:05 12087 ----a-w- c:\windows\system32\repisufuny.com
2009-10-15 23:09:05 11240 ----a-w- c:\windows\xubar.dll
2009-10-15 23:09:05 10590 ----a-w- c:\program files\common files\fijahar.db
2009-10-06 21:37:03 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-06 21:37:03 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-06 21:37:03 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-06 21:37:03 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-06 20:38:50 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-22 04:07:44 38912 --sha-w- c:\windows\system32\bitoduze.dll
2009-08-13 02:58:27 38912 --sha-w- c:\windows\system32\bopoyufi.dll
2009-08-13 14:58:44 90112 --sha-w- c:\windows\system32\fonoriga.dll
2009-08-19 03:01:39 38400 --sha-w- c:\windows\system32\fusizota.dll
2009-08-11 01:43:41 1 --sha-w- c:\windows\system32\golopate.dll
2009-08-25 15:00:42 38400 --sha-w- c:\windows\system32\higarebu.dll
2009-08-08 23:06:51 38912 --sha-w- c:\windows\system32\hiheteki.dll
2009-08-10 11:45:06 1 --sha-w- c:\windows\system32\hoyovize.dll
2009-08-19 16:06:07 38912 --sha-w- c:\windows\system32\huzomopo.dll
2009-08-20 04:06:25 38400 --sha-w- c:\windows\system32\jejuvusu.dll
2009-08-10 11:45:06 1 --sha-w- c:\windows\system32\jewonaka.dll
2009-08-09 23:39:11 1 --sha-w- c:\windows\system32\jidibupi.dll
2009-08-23 18:44:43 38400 --sha-w- c:\windows\system32\kizonivo.dll
2009-08-10 12:08:20 1 --sha-w- c:\windows\system32\kosojebi.dll
2009-08-21 04:07:07 39424 --sha-w- c:\windows\system32\lanimaye.dll
2009-08-19 03:01:39 52224 --sha-w- c:\windows\system32\luravufa.dll
2009-08-19 03:01:40 45568 --sha-w- c:\windows\system32\matedibu.dll
2009-08-23 06:44:21 38400 --sha-w- c:\windows\system32\movezisa.dll
2009-08-11 01:20:11 1 --sha-w- c:\windows\system32\mururere.dll
2009-08-10 11:45:06 1 --sha-w- c:\windows\system32\nerafipa.dll
2009-08-13 14:58:44 38400 --sha-w- c:\windows\system32\ribalofe.dll
2009-08-27 07:03:07 92672 --sha-w- c:\windows\system32\ripagupa.dll
2009-08-24 06:44:48 38400 --sha-w- c:\windows\system32\rojolutu.dll
2009-08-26 15:01:36 38912 --sha-w- c:\windows\system32\saperiho.dll
2009-08-25 03:00:31 39424 --sha-w- c:\windows\system32\satakasu.dll
2009-08-11 01:43:41 1 --sha-w- c:\windows\system32\segopine.dll
2009-08-13 02:58:27 90112 --sha-w- c:\windows\system32\sonumiwo.dll
2009-08-19 16:06:07 92672 --sha-w- c:\windows\system32\suniyewe.dll
2009-08-26 03:01:43 52224 --sha-w- c:\windows\system32\takiruri.dll
2009-08-26 03:01:05 92672 --sha-w- c:\windows\system32\tarovepe.dll
2009-08-21 16:07:31 38912 --sha-w- c:\windows\system32\timijapu.dll
2009-08-11 01:20:11 1 --sha-w- c:\windows\system32\tisozeze.dll
2009-08-26 03:01:05 52224 --sha-w- c:\windows\system32\velumigi.dll
2009-08-10 12:08:20 1 --sha-w- c:\windows\system32\vewakazu.dll
2009-08-26 03:01:43 52224 --sha-w- c:\windows\system32\vijidebo.dll
2009-08-11 01:20:11 1 --sha-w- c:\windows\system32\vugijazu.dll
2009-08-10 12:31:01 1 --sha-w- c:\windows\system32\watuhihi.dll
2009-08-11 01:43:41 1 --sha-w- c:\windows\system32\wetemawo.dll
2009-08-18 15:01:22 51712 --sha-w- c:\windows\system32\wimavogu.dll
2009-08-11 14:57:45 1 --sha-w- c:\windows\system32\wimoroka.dll
2009-08-09 23:39:11 1 --sha-w- c:\windows\system32\yibisusi.dll
2009-08-09 23:39:11 1 --sha-w- c:\windows\system32\yukikono.dll
2009-08-10 12:31:01 1 --sha-w- c:\windows\system32\zonedito.dll
2009-08-27 07:03:07 38400 --sha-w- c:\windows\system32\zubufoba.dll

============= FINISH: 3:42:43.03 ===============

Attached Files

  • Attached File  Ark.txt   6.44KB   0 downloads


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:14 PM

Posted 27 November 2009 - 06:02 AM

Hi,

To run malwarebytes when you get the error code 2 during install, or mbam.exe gets deleted, please see here:

http://www.malwarebytes.org/forums/index.php?showtopic=29028
Once malwarebytes opens, click the "Update" tab, click "Check for Updates" in order to download the updates.
Then run the scan, let mbam quarantine/delete what it found and reboot afterwards.
After reboot, post the malwarebytes log together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:14 PM

Posted 22 December 2009 - 10:35 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users