Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with vundo and maybe others


  • This topic is locked This topic is locked
14 replies to this topic

#1 ladykay

ladykay

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 03 December 2009 - 01:57 PM

Hello,

I'm working on a friend's laptop, and it seems to be infected with a Vundo Trojan. The machine has an updated Mcafee antivirus and firewall package installed, and I have run it multiple times. Occasionally, it will find something, but never completely cleans it.

I've also used the free online Trend Micro scan, and come up with nothing.

I then looked at some other forum postings and decided to try Malwarebytes Anti-Malware, but it will not execute. After installation, I get a "cannot find exe" error of some sort.

When using HijackThis, I find some anomalies, but every time I "repair" them, they reappear within seconds on my next scan.

I appreciate any help that you can provide.

Here's my DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Lurica at 12:12:05.59 on Thu 12/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1425 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Lurica\My Documents\downloads\HijackThis.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lurica\My Documents\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [tolilabas] Rundll32.exe "c:\windows\system32\jiruvepi.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: didutaso.dll c:\windows\system32\jiruvepi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kiwemukid - {12a248ad-1857-49e1-9f23-544303d24914} - c:\windows\system32\jiruvepi.dll
STS: gahurihor: {12a248ad-1857-49e1-9f23-544303d24914} - c:\windows\system32\jiruvepi.dll
LSA: Notification Packages = scecli kuzeyogi.dll woborugu.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-9 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-27 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-9 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-9 144704]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-11-27 582992]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-9 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-9 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-9 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-9 40552]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-11-27 206608]
S2 gupdate1ca5458ca67cb1;Google Update Service (gupdate1ca5458ca67cb1);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-9 34248]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-11-27 206608]

=============== Created Last 30 ================

2009-12-02 18:23:06 0 d-----w- c:\docume~1\lurica\applic~1\Malwarebytes
2009-12-02 18:22:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-27 20:56:32 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2009-11-27 20:56:30 0 d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2009-10-21 02:22:36 1744 ----a-w- c:\docume~1\lurica\applic~1\wklnhst.dat
2009-09-19 21:05:02 33392 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 15:01:09 52736 --sha-w- c:\windows\system32\didutaso.dll
2009-09-02 03:00:05 51712 --sha-w- c:\windows\system32\dizupiva.dll
2009-09-02 03:00:20 51712 --sha-w- c:\windows\system32\futakoze.dll
2009-09-03 03:00:59 38400 --sha-w- c:\windows\system32\hogayapu.dll
2009-09-02 15:00:30 52736 --sha-w- c:\windows\system32\husowipe.dll
2009-09-03 16:15:17 92160 --sha-w- c:\windows\system32\jiruvepi.dll
2009-08-27 20:42:07 51712 --sha-w- c:\windows\system32\joyapate.dll
2009-09-02 15:01:09 52736 --sha-w- c:\windows\system32\kebevujo.dll
2009-08-27 20:42:07 38400 --sha-w- c:\windows\system32\labazemi.dll
2009-08-27 20:42:07 92672 --sha-w- c:\windows\system32\mewisale.dll
2009-09-02 15:00:30 38912 --sha-w- c:\windows\system32\pewejima.dll
2009-09-02 03:00:20 39424 --sha-w- c:\windows\system32\romopifo.dll
2009-09-02 03:00:20 91648 --sha-w- c:\windows\system32\ruginefo.dll
2009-09-02 15:01:09 52736 --sha-w- c:\windows\system32\woborugu.dll
2009-09-03 16:15:17 38400 --sha-w- c:\windows\system32\zabodowo.dll
2008-08-29 07:07:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 12:13:14.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:29 AM

Posted 17 December 2009 - 02:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#3 ladykay

ladykay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 28 December 2009 - 10:59 AM

Thank you for your attention. I am trying to get another DDS log for you, however, it will not complete. My McAfee scanner keeps finding a particular instance of Vundo (didutaso.dll) and the machine is very slow. I've turned off the firewall portion of McAfee and said to stop scanning scripts, but I still keep getting the pop-ups about Vundo. I actually have had the machine off since I posted my logs in order to ensure the integrity of the information. So, if you could work from the last info, that would be great.

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 28 December 2009 - 09:24 PM

Hi ladykay,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Step2
  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow Combofix to continue scanning for malware.
  • When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  • Do not mouse click on Combofix while it is running. That may cause it to stall.

Step3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<


In your next reply, please post back:


1.GMER log
2.ComboFix log
3.RSIT log.txt and info.txt. Thanks.

#5 ladykay

ladykay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 29 December 2009 - 12:56 AM

Thank you for your response. I'm diligently working on producing those attachments.
I have a question. Does script scanning need to be disabled on my virus/spyware scanner software as it needed to be with DDS? When I try to run GMER, the process starts, then my screen goes completely black. There's no way for me to recover other than a hard power off. I was wondering if my virus scanning software had anything to do with it. If so, I'll turn it off and disable my internet connection while I run the programs that you told me to.

Either way, I'll move on to Step 2 and Step 3 and see if those will work in the meantime.

After enduring pop ups about vundo every 20 seconds for a few hours, I actually managed to get a new DDS file. Those are attached. I figured I should have some sort of deliverable for the day.

Thanks again!

Attached Files



#6 ladykay

ladykay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 29 December 2009 - 01:47 AM

Here are my files for steps 2 and 3.

Also, my continuous Trojan alerts seem to have stopped. I get a few here and there, but nothing close to the 20 second intervals I had before.

Thanks!

Attached Files



#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 29 December 2009 - 05:02 AM

Hi ladykay,



Looks better. :( but we still some work to do. Please be patient and do the following:


Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
c:\windows\system32\gizehure.dll
c:\windows\system32\jukazudu.dll

Folder::
c:\windows\system32\bak

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\$NtServicePackUninstall$\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\ctfmon.exe | c:\windows\System32\ctfmon.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\regedit.exe"=-
"c:\\WINDOWS\\system32\\taskmgr.exe"=-
"c:\\WINDOWS\\system32\\msiexec.exe"=-
"c:\\WINDOWS\\system32\\logon.scr"=-
"c:\\WINDOWS\\system32\\TPSMain.exe"=-
"c:\\WINDOWS\\system32\\RAMASST.exe"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] 
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\?}*2*]

DDS::
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
AppInit_DLLs: didutaso.dll
STS: {12a248ad-1857-49e1-9f23-544303d24914} - No File
LSA: Notification Packages = scecli kuzeyogi.dll woborugu.dll


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2
  • Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from Here :
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.

Step3

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


After that, please rerun Gmer as instructed in my previous post. If you have problem to run Gmer, please uncheck "Devices" in the right side and try it again.




In your next reply, please post back:

1.ComboFix log
2.MBAM log
3.Gmer log Thanks.

#8 ladykay

ladykay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 29 December 2009 - 11:29 PM

Hi sundavis,

Well, GMER and I are still having issues. After about 45 minutes of processing, the screen goes black. I completely disable my virus scanner and firewall, yet the issue continues. It used to arrive earlier. I've adjusted my hibernation settings, but I'll keep working on it.

However, I did do the rest. That's actually an achievement in itself, because before using the tools you gave me, MBAM would not run. I kept getting an error after installation saying that the .exe could not be found.

Here are the combofix file and the mbam logs. I made two, because I had to stop and restart mbam. Some infections were found on the first pass and others were found on the second.

This machine is already doing so much better. I am very pleased with the progress. :(

Attached Files



#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 30 December 2009 - 01:41 AM

Hi ladykay,


GMER and I are still having issues.

Yes, that can be expected. We need to run ComboFix once more and let some files revert to their previous position. :(


Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Folder::
c:\program files\iTunes\bak
c:\program files\QuickTime\bak

DeQuarantine::
c:\qoobox\Quarantine\C\WINDOWS\system32\bak\hkcmd.exe.vir
c:\qoobox\Quarantine\C\WINDOWS\system32\bak\igfxpers.exe.vir
c:\qoobox\Quarantine\C\WINDOWS\system32\bak\igfxtray.exe.vir

AWF::
c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe
c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
c:\program files\ltmoh\bak\Ltmoh.exe
c:\program files\McAfee\SpamKiller\bak\MskAgent.exe
c:\program files\McAfee\SpamKiller\bak\MSKDetct.exe
c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe
c:\program files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe
c:\program files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe
c:\program files\TOSHIBA\Tvs\bak\TvsTray.exe
c:\program files\Yahoo!\Messenger\bak\YAHOOM~1.EXE
c:\toshiba\IVP\ISM\bak\pinger.exe
c:\windows\ehome\bak\ehtray.exe
c:\windows\system32\DLA\bak\DLACTRLW.exe
C\WINDOWS\system32\bak\hkcmd.exe
C\WINDOWS\system32\bak\igfxpers.exe
C\WINDOWS\system32\bak\igfxtray.exe

RegLock::
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\?}*2*]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 17...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    J2SE Runtime Environment 5.0 Update 4
    Java™ 6 Update 11

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
Step3


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




After that, please rerun MBAM as instructed in my previous post and post the contents in your next reply.

In your next reply, please post back:


1.ComboFix log
2.MBAM log

Edited by sundavis, 30 December 2009 - 02:10 AM.


#10 ladykay

ladykay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 31 December 2009 - 01:21 PM

Hi,

The machine locked up after the screen saver popped up, so I had to re-run ComboFix. I hope that doesn't negatively affect report.
I performed steps 2 and 3 with no incident :(.
The MBAM report is clean.

I'm starting to get realy happy here...

Attached Files



#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 31 December 2009 - 01:51 PM

Hi ladykay,



We need to run Kas Online Scanner to ensure there is no malicious threat around. It will take some time to run the full course. Please be patient and do the following:

Please navigate to the following file path and delete this bak folder manually.

C:\windows\system32\bak


Step1


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

In your next reply, please post back:

1.Kas Online Scanner Report

Tell me if you have any remaining issues on your pc.

#12 ladykay

ladykay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 01 January 2010 - 11:26 PM

Hi sundavis,

Here's my Kaspersky report. Some items were found, but mostly in quarantine. Please advise.

In terms of behavior, I ran the Kaspersky scan yesterday. It ran for about 4 hours when I had to leave it unattended. When I returned, the IE window it was running in had disappeared. I had to reboot and do another scan. I felt like I had been really vulnerable during the period after the scan ended and before I returned, since I had to disable the firewall in order to run the scan. So, I'm not sure if the infections found in the Sun cache folders are fresh or old. Anyway, I'm sure we can get these last ones off.

Thank you for your continued help.

Attached Files

  • Attached File  kas.txt   2.45KB   1 downloads


#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 02 January 2010 - 12:38 AM

Hi ladykay,




As far as those infected objects listed in the Kaspersky report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Cache, which we will be taking care of now.

Please delete the housecall quarantine folder since no more needed. Other than that, your system appears clean now. :( If you have no remaining concerns on your pc, let's do some tidy up and you should be good to go.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  • Double click OTC and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Please delete all the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

Edited by sundavis, 02 January 2010 - 12:47 AM.


#14 ladykay

ladykay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 02 January 2010 - 11:56 AM

Thanks a million! I absolutely could not have done this without you! :(

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 10 January 2010 - 01:43 AM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users