Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advanced Virus Remover, yavaneyu.dll (Trojan.Vundo) and others


  • This topic is locked This topic is locked
2 replies to this topic

#1 ireallyhatemalware

ireallyhatemalware

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 01 December 2009 - 03:15 AM

I had Advanced Virus Remover and may still have remnants. I was unable to run Malwarebytes' Anti-Malware when I first discovered the infection; however, it seemed to be due to mban.exe being removed. I replaced mban.exe with another mban.exe but named test.exe and was able to get the program to run. It found many issues...i have the logs if they are needed. This cleaned the pc up a lot, but i am still getting popups when not even on the web. Some links are redirecting me to links that always start with "buyonlinedating.net" followed by other stuff. I have run Malwarebytes' Anti-Malware many times and, after the first run, it continues to come back with about the same number of items:
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8
I thought that I would try to run in safe mode and run Malwarebytes' Anti-Malware from there, but when i tried to get into safe mode, i would get the prompt with choices for various safe modes but once I selected one, the computer seems to restart, never making it into safe mode; however, if i choose start windows normally, then xp starts right up.

Hopefully I have provided enough of a description of the issue that some one out there can help me out.

DDS.txt:

DDS (Ver_09-11-29.01) - NTFSx86
Run by Darrell at 1:48:38.57 on Tue 12/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.65 [GMT -6:00]


============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:WINDOWSsystem32svchost -k Panda
C:Program FilesCommon FilesMotiveMcciCMService.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesCDBurnerXPNMSAccessU.exe
C:WINDOWSSystem32nvsvc32.exe
C:Program FilesPanda SecurityPanda Antivirus Pro 2010PsImSvc.exe
C:Program FilesPanda SecurityPanda Antivirus Pro 2010PskSvc.exe
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSSystem32svchost.exe -k imgsvc
C:WINDOWSExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMalwarebytes' Anti-Malwaretest.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsDarrellMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [EPSON Stylus CX9400Fax Series] c:windowssystem32spooldriversw32x863e_faticfa.exe /fu "c:windowstempE_S10B.tmp" /EF "HKCU"
uRun: [ISW.exe] "c:program filesat&tinternet security wizardISW.exe" /AUTORUN
uRun: [Google Update] "c:documents and settingsdarrelllocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [calc] rundll32.exe c:docume~1darrellntuser.dll,_IWMPEvents@0
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [googletalk] c:program filesgooglegoogle talkgoogletalk.exe /autostart
mRun: [Windows Defender] "c:program fileswindows defenderMSASCui.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwaretest.exe" /runcleanupscript
mRun: [APVXDWIN] "c:program filespanda securitypanda antivirus pro 2010APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:program filespanda securitypanda antivirus pro 2010Inicio.exe"
mRun: [calc] rundll32.exe c:windowssystem32calc.dll,_IWMPEvents@0
mRun: [nawebowim] Rundll32.exe "c:windowssystem32vevesadi.dll",a
dRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NVMCTRAY.DLL,NvTaskbarInit
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_03binssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://www1.snapfish.com/SnapfishOutlookImport.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} - hxxps://pbells.broadjump.com/wizlet/iw60/static/controls/WebflowActiveX.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38171.3079398148
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
Notify: avldr - avldr.dll
AppInit_DLLs: yavaneyu.dll c:windowssystem32vevesadi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SSODL: sopenamib - {a27f93dc-4531-4a63-83c6-79e3c63af8fd} - c:windowssystem32vevesadi.dll
STS: jugezatag: {a27f93dc-4531-4a63-83c6-79e3c63af8fd} - c:windowssystem32vevesadi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:progra~1wifd1f~1MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
LSA: Notification Packages = scecli scecli scecli yodutiti.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1darrellapplic~1mozillafirefoxprofileskzy944ac.default
FF - plugin: c:documents and settingsdarrellapplication datamove networkspluginsnpqmp071701000002.dll
FF - plugin: c:documents and settingsdarrelllocal settingsapplication datagoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPcol400.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:windowssystem32driverspavboot.sys [2009-8-6 28544]
R0 viasraid;viasraid;c:windowssystem32driversviasraid.sys [2004-7-2 75904]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2009-8-5 74480]
R2 Gwmsrv;Panda Goodware Cache Manager;c:windowssystem32svchost -k panda --> c:windowssystem32svchost -k Panda [?]
R2 PAVDRV;pavdrv;c:windowssystem32driverspavdrv51.sys [2009-11-30 84024]
R2 PskSvcRetail;Panda PSK service;c:program filespanda securitypanda antivirus pro 2010psksvc.exe [2009-11-30 28928]
R4 MBAMSwissArmy;MBAMSwissArmy;c:windowssystem32driversmbamswissarmy.sys [2009-11-29 38224]
S2 Panda Software Controller;Panda Software Controller;c:program filespanda securitypanda antivirus pro 2010PsCtrlS.exe [2009-11-30 173312]
S2 PAVFNSVR;Panda Function Service;c:program filespanda securitypanda antivirus pro 2010PavFnSvr.exe [2009-11-30 169216]
S2 PAVSRV;Panda On-Access Anti-Malware Service;c:program filespanda securitypanda antivirus pro 2010PAVSRV51.EXE [2009-11-30 290048]
S2 WinDefend;Windows Defender;c:program fileswindows defenderMsMpEng.exe [2006-11-3 13592]
S3 iteio;iteio;c:windowssystem32driversIteio.sys [2004-7-2 3680]
S3 PavTPK.sys;PavTPK.sys;??c:windowssystem32pavtpk.sys --> c:windowssystem32PavTPK.sys [?]
S3 PinnacleMovieBox;Pinnacle Systems MovieBox USB Device;c:windowssystem32driversPcleMBox.sys [2005-10-7 995456]
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:windowssystem32driversPRISMUSB.sys [2004-7-2 636416]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2009-8-5 7408]
S3 vsdatant;vsdatant;c:windowssystem32vsdatant.sys --> c:windowssystem32vsdatant.sys [?]
S3 Vsp;Vsp;??c:windowssystem32driversvsp.sys --> c:windowssystem32driversVsp.sys [?]

============== File Associations ===============

JSEFile=c:progra~1pandas~1pandaa~1PavScrip.exe "%1" %*
VBEFile=c:progra~1pandas~1pandaa~1PavScrip.exe "%1" %*
VBSFile=c:progra~1pandas~1pandaa~1PavScrip.exe "%1" %*

=============== Created Last 30 ================

2009-12-01 06:20:27 0 d-----w- c:program filesSpybot - Search & Destroy
2009-12-01 06:20:27 0 d-----w- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-12-01 03:33:23 0 ----a-w- c:windowssystem3215724.exe
2009-12-01 03:13:22 0 ----a-w- c:windowssystem3219169.exe
2009-12-01 02:53:21 0 ----a-w- c:windowssystem3226500.exe
2009-12-01 01:25:07 0 d-----w- c:program filesAntiMalware
2009-12-01 01:06:26 8627 ----a-w- c:windowssystem32PAV_FOG.OPC
2009-12-01 01:03:59 250 ----a-w- c:windowssystem32PavCPL.dat
2009-12-01 01:03:23 54832 ----a-w- c:windowssystem32pavcpl.cpl
2009-12-01 01:03:03 446464 ----a-w- c:windowssystem32HHActiveX.dll
2009-12-01 01:02:52 193792 ----a-w- c:windowssystem32TpUtil.dll
2009-12-01 01:02:51 87296 ----a-w- c:windowssystem32PavLspHook.dll
2009-12-01 01:02:51 55552 ----a-w- c:windowssystem32pavipc.dll
2009-12-01 01:02:51 518400 ----a-w- c:windowssystem32PavSHook.dll
2009-12-01 01:02:51 107568 ----a-w- c:windowssystem32SYSTOOLS.DLL
2009-12-01 01:02:47 84024 ----a-w- c:windowssystem32driverspavdrv51.sys
2009-12-01 01:02:47 58672 ----a-w- c:windowssystem32avldr.dll
2009-12-01 01:02:46 0 d-----w- c:windowssystem32PAV
2009-12-01 01:02:43 0 d-----w- c:docume~1darrellapplic~1Panda Security
2009-12-01 01:02:43 0 d-----w- c:docume~1alluse~1applic~1Panda Security
2009-12-01 01:00:09 0 ------w- c:windowsPAVSHRB.INI
2009-12-01 00:59:34 0 d-----w- c:program filescommon filesPanda Security
2009-12-01 00:55:42 59 ----a-w- c:windowssystem32dmintpuv.dat
2009-12-01 00:55:42 260 ----a-w- c:windowssystem32msaayext.dat
2009-12-01 00:55:42 260 ----a-w- c:windowssystem32kbdlm.dat
2009-12-01 00:55:42 0 ----a-w- c:windowssystem32iashapr.dat
2009-12-01 00:43:52 0 d-----w- c:program filescommon filesWise Installation Wizard
2009-12-01 00:37:13 139264 ----a-w- c:windowsmanagerapp.exe
2009-11-30 22:08:17 164 ----a-w- C:xcrashdump.dat
2009-11-30 22:07:43 5671 ----a-w- c:windowssystem32mqperzt.dat
2009-11-30 22:07:43 2245 ----a-w- c:windowssystem32mf321pr.dat
2009-11-30 22:07:43 118 ----a-w- c:windowssystem32quartwhm.dat
2009-11-30 22:07:42 296 ----a-w- c:windowssystem32rastms.dat
2009-11-30 22:07:42 0 ----a-w- c:windowssystem32xmllire.dat
2009-11-30 22:07:16 143360 ----a-w- C:yejhlljf.exe
2009-11-30 22:07:11 130560 ----a-w- C:lkdj.exe
2009-11-29 21:57:25 0 ----a-w- c:windowssystem326334.exe
2009-11-29 21:39:48 0 d-----w- c:docume~1darrellapplic~1Malwarebytes
2009-11-29 21:39:38 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-11-29 21:39:36 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-11-29 21:39:36 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-11-29 21:37:24 0 ----a-w- c:windowssystem3218467.exe
2009-11-16 15:37:50 202072 ----a-r- c:windowssystem32cpnprt2.cid
2009-11-16 15:37:44 0 d-----w- c:program filesCoupons

==================== Find3M ====================

2009-11-03 02:42:06 195456 ------w- c:windowssystem32MpSigStub.exe
2009-09-11 14:18:39 136192 ----a-w- c:windowssystem32msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:windowssystem32msasn1.dll
2009-08-30 22:37:36 27136 --sha-w- c:windowssystem32fopijunu.exe
2009-03-21 14:06:58 24064 --sha-w- c:windowssystem32configsystemprofilentuser.dll
2009-08-06 00:04:44 245760 --sha-w- c:windowssystem32configsystemprofileietldcacheindex.dat
2008-09-05 07:03:11 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008090520080906index.dat
2009-03-21 14:06:58 24064 --sha-w- c:windowssystem32configsystemprofilestart menuprogramsstartupscandisk.dll

============= FINISH: 1:50:32.29 ===============

RootRepeal report:
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/01 01:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: H8SRTbrfvklrniq.sys
Image Path: C:WINDOWSsystem32driversH8SRTbrfvklrniq.sys
Address: 0xF309F000 Size: 114688 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xEC23B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:WINDOWSsystem32h8srtcfg.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTmorryidupr.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTqiulqlbqkx.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTtepkteufpj.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32calc.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32H8SRTxjkoenbods.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT15dc.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT15ec.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRT52d9.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTb0b8.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTb725.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTd235.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempH8SRTe3de.tmp
Status: Invisible to the Windows API!

Path: C:Documents and SettingsDarrellntuser.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32driversH8SRTbrfvklrniq.sys
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32configsystemprofilentuser.dll
Status: Invisible to the Windows API!

Path: C:Documents and SettingsDarrellStart MenuProgramsStartupscandisk.dll
Status: Invisible to the Windows API!

Path: C:Documents and SettingsDarrellStart MenuProgramsStartupscandisk.lnk
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32configsystemprofileStart MenuProgramsStartupscandisk.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32configsystemprofileStart MenuProgramsStartupscandisk.lnk
Status: Invisible to the Windows API!

Path: C:Documents and SettingsDarrellApplication DataMozillaFirefoxProfileskzy944ac.defaultsessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: c:documents and settingsdarrelllocal settingsapplication datamozillafirefoxprofileskzy944ac.defaultcache_cache_001_
Status: Size mismatch (API: 445389, Raw: 442064)

Path: c:documents and settingsdarrelllocal settingsapplication datamozillafirefoxprofileskzy944ac.defaultcache_cache_002_
Status: Size mismatch (API: 408732, Raw: 396010)

Path: c:documents and settingsdarrelllocal settingsapplication datamozillafirefoxprofileskzy944ac.defaultcache_cache_003_
Status: Size mismatch (API: 1094808, Raw: 1070183)

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTtepkteufpj.dll]
Process: svchost.exe (PID: 916) Address: 0x00c40000 Size: 65536

Object: Hidden Module [Name: H8SRTqiulqlbqkx.dll]
Process: svchost.exe (PID: 916) Address: 0x02ba0000 Size: 2211840

Object: Hidden Module [Name: H8SRTmorryidupr.dll]
Process: Explorer.EXE (PID: 2816) Address: 0x00e10000 Size: 106496

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:WINDOWSsystem32driversH8SRTbrfvklrniq.sys

==EOF==



My latest mbam-log:

Malwarebytes' Anti-Malware 1.41
Database version: 3265
Windows 5.1.2600 Service Pack 3

12/1/2009 1:25:34 AM
mbam-log-2009-12-01 (01-25-34).txt

Scan type: Full Scan (C:|)
Objects scanned: 253890
Time elapsed: 54 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:WINDOWSsystem32yavaneyu.dll (Trojan.Vundo) -> Delete on reboot.
C:WINDOWSsystem32calc.dll (Trojan.Agent) -> Delete on reboot.
c:WINDOWSsystem32vevesadi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:WINDOWSsystem32yodutiti.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOTCLSID{a27f93dc-4531-4a63-83c6-79e3c63af8fd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunnawebowim (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRuncalc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler{a27f93dc-4531-4a63-83c6-79e3c63af8fd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoadsopenamib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRuncalc (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.Vundo.H) -> Data: c:windowssystem32vevesadi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Trojan.Vundo.H) -> Data: system32vevesadi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:WINDOWSsystem32vevesadi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:WINDOWSsystem32yavaneyu.dll (Trojan.Vundo) -> Delete on reboot.
C:WINDOWSsystem32calc.dll (Trojan.Agent) -> Delete on reboot.
C:WINDOWSsystem32yodutiti.dll (Trojan.Vundo) -> Delete on reboot.
C:Documents and SettingsDarrellntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsDarrellStart MenuProgramsStartupscandisk.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:Documents and SettingsDarrellStart MenuProgramsStartupscandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:Documents and SettingsDarrellLocal SettingsTempnsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

I have also uploaded Attach.txt as directed in posting instructions.

Please help!!

Here is my HijackThis log as well:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:09 AM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesMotiveMcciCMService.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesCDBurnerXPNMSAccessU.exe
C:WINDOWSSystem32nvsvc32.exe
C:Program FilesPanda SecurityPanda Antivirus Pro 2010PsImSvc.exe
C:Program FilesPanda SecurityPanda Antivirus Pro 2010PskSvc.exe
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMalwarebytes' Anti-Malwaretest.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot -

Search & DestroySDHelper.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program FilesGoogleGoogle

ToolbarGoogleToolbar_32.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [googletalk] C:Program FilesGoogleGoogle Talkgoogletalk.exe /autostart
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes'

Anti-Malwaretest.exe" /runcleanupscript
O4 - HKLM..Run: [APVXDWIN] "C:Program FilesPanda SecurityPanda Antivirus Pro 2010APVXDWIN.EXE" /s
O4 - HKLM..Run: [SCANINICIO] "C:Program FilesPanda SecurityPanda Antivirus Pro 2010Inicio.exe"
O4 - HKLM..Run: [calc] rundll32.exe C:WINDOWSsystem32calc.dll,_IWMPEvents@0
O4 - HKLM..Run: [nawebowim] Rundll32.exe "c:windowssystem32vevesadi.dll",a
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [EPSON Stylus CX9400Fax Series] C:WINDOWSSystem32spoolDRIVERSW32X863E_FATICFA.EXE

/FU "C:WINDOWSTEMPE_S10B.tmp" /EF "HKCU"
O4 - HKCU..Run: [ISW.exe] "C:Program FilesAT&TInternet Security WizardISW.exe" /AUTORUN
O4 - HKCU..Run: [Google Update] "C:Documents and SettingsDarrellLocal SettingsApplication

DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKCU..Run: [calc] rundll32.exe C:DOCUME~1Darrellntuser.dll,_IWMPEvents@0
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKUSS-1-5-18..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInit

(User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInit

(User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program

FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program

FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search &

DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork

Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program

FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program

FilesMessengermsmsgs.exe (file missing)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -

http://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) -

http://www1.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -

http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -

https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) -

http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -

http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) -

https://pbells.broadjump.com/wizlet/iw60/st...flowActiveX.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) -

http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) -

http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} -

http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O20 - AppInit_DLLs: yavaneyu.dll c:windowssystem32vevesadi.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O21 - SSODL: sopenamib - {a27f93dc-4531-4a63-83c6-79e3c63af8fd} - c:windowssystem32vevesadi.dll
O22 - SharedTaskScheduler: jugezatag - {a27f93dc-4531-4a63-83c6-79e3c63af8fd} -

c:windowssystem32vevesadi.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle

UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon

FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:Program FilesCommon

FilesMotiveMcciCMService.exe
O23 - Service: NMSAccessU - Unknown owner - C:Program FilesCDBurnerXPNMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:WINDOWSSystem32nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:Program FilesPanda SecurityPanda

Antivirus Pro 2010PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:Program FilesPanda

SecurityPanda Antivirus Pro 2010PavFnSvr.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:Program

FilesPanda SecurityPanda Antivirus Pro 2010pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:Program FilesPanda

SecurityPanda Antivirus Pro 2010PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:Program FilesPanda

SecurityPanda Antivirus Pro 2010PskSvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:Program FilesCommon

FilesRoxio Shared9.0SharedCOMRoxLiveShare9.exe (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:Program FilesPanda SecurityPanda

Antivirus Pro 2010TPSrv.exe

--
End of file - 9724 bytes

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 01 December 2009 - 10:53 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:35 PM

Posted 14 December 2009 - 04:11 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:35 PM

Posted 19 December 2009 - 03:33 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users