Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected- Vundo; kbdsock.dll;Browser Redirect; Disabled System Restore/TaskManager


  • This topic is locked This topic is locked
2 replies to this topic

#1 ms_green

ms_green

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 31 December 2009 - 09:46 PM

Topic Description: contains some of the files AVG and Avira AntiVir (Free editions) have claimed to quarantine.

Initially, I aquired a virus that disabled System Restore and the Task Manager. My Web browsers (IE7/Firefox) also would redirect me to various sites. I used regedit to turn System Restore back on; and then used it. System Restore worked, fixed every thing but the 'Browser Redirect' part of the problem. While attempting to fix the Browser problem I have managed to screw my computer up.

Thank you for taking the time to help me.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 20:31:16.23 on Thu 12/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1607 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.live.com/default.aspx?wa=wsignin1.0
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\winlogon86.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RegGenie Scheduler] c:\program files\reggenie\RegGenieScheduler.exe
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231891652125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {B31C105F-69EB-4BB0-B02B-FB42FD7D63D7} = 193.104.110.38,4.2.2.1,68.87.68.166 68.87.74.166
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll,ronuruso.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli wivovego.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\dq0tkqg0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://mail.live.com/default.aspx?wa=wsignin1.0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\kulokuha.dll
1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\lajerode.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
1601-01-01 00:03:28 53760 --sha-w- c:\windows\system32\repozuyi.dll
1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\ronuruso.dll
1601-01-01 00:03:28 60416 --sha-w- c:\windows\system32\sosafuji.dll
1601-01-01 00:03:28 24576 --sha-w- c:\windows\system32\winlogon86.exe
1601-01-01 00:03:28 24576 --sha-w- c:\windows\system32\winupdate86.exe
1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\wivovego.dll
1601-01-01 00:03:28 24576 --sha-w- c:\windows\system32\yoyijite.exe

============= FINISH: 20:32:58.76 ===============




Avira AntiVir Personal
Report file date: Thursday, December 31, 2009 17:39

Scanning for 1492539 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Save mode
Username : Administrator
Computer name : COMPUTER

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 16:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 20:01:39
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 20:01:39
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 20:01:39
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 20:01:39
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 20:01:40
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 20:01:40
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 20:01:40
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 20:01:40
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 20:01:40
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 20:01:40
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 20:01:40
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 20:01:40
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 20:01:41
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 20:01:42
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 20:01:42
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 20:01:43
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 20:01:43
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 20:01:44
VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 20:01:44
VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 20:01:45
VBASE021.VDF : 7.10.2.94 2048 Bytes 12/29/2009 20:01:45
VBASE022.VDF : 7.10.2.95 2048 Bytes 12/29/2009 20:01:45
VBASE023.VDF : 7.10.2.96 2048 Bytes 12/29/2009 20:01:45
VBASE024.VDF : 7.10.2.97 2048 Bytes 12/29/2009 20:01:45
VBASE025.VDF : 7.10.2.98 2048 Bytes 12/29/2009 20:01:45
VBASE026.VDF : 7.10.2.99 2048 Bytes 12/29/2009 20:01:45
VBASE027.VDF : 7.10.2.100 2048 Bytes 12/29/2009 20:01:46
VBASE028.VDF : 7.10.2.101 2048 Bytes 12/29/2009 20:01:46
VBASE029.VDF : 7.10.2.102 2048 Bytes 12/29/2009 20:01:46
VBASE030.VDF : 7.10.2.103 2048 Bytes 12/29/2009 20:01:46
VBASE031.VDF : 7.10.2.110 77312 Bytes 12/31/2009 20:01:46
Engineversion : 8.2.1.122
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 12:38:52
AESCRIPT.DLL : 8.1.3.4 586105 Bytes 12/31/2009 20:01:51
AESCN.DLL : 8.1.3.0 127348 Bytes 12/31/2009 20:01:51
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 12:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 12/31/2009 20:01:50
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 12:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 12:38:38
AEHEUR.DLL : 8.1.0.189 2195833 Bytes 12/31/2009 20:01:50
AEHELP.DLL : 8.1.9.0 237943 Bytes 12/31/2009 20:01:47
AEGEN.DLL : 8.1.1.82 369014 Bytes 12/31/2009 20:01:47
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 12/31/2009 20:01:47
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 20:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 17:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: quarantine
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Thursday, December 31, 2009 17:39

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'winupdate86.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
12 processes with 12 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '55' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

[0] Archive type: RAR SFX (self extracting)
--> nircmd.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.2 application
[NOTE] The file was moved to '4b9e28d9.qua'!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\dq0tkqg0.default\Cache\3ADB6917d01
[DETECTION] Contains recognition pattern of the HTML/Rce.Gen HTML script virus
[NOTE] The file was moved to '4b812cdf.qua'!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\dq0tkqg0.default\Cache\DAD9E8A6d01
[DETECTION] Contains recognition pattern of the SPR/Fake.RegGenie program
[NOTE] The file was moved to '4b812ceb.qua'!
C:\Documents and Settings\Administrator\Local Settings\Temp\KcPj.exe
[DETECTION] Is the TR/Fake.AV.218880 Trojan
[NOTE] The file was moved to '4b8d2d12.qua'!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AG9QCITK\dfghfghgfj[1].dll
[DETECTION] Is the TR/BHO.adbb Trojan
[NOTE] The file was moved to '4ba42d2a.qua'!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FPGDA2WQ\favicon[5].ico
[DETECTION] Contains recognition pattern of the SPR/Fake.RegGenie program
[NOTE] The file was moved to '4bb32d35.qua'!
C:\WINDOWS\system32\boliraka.dll
[DETECTION] Is the TR/PCK.Tdss.AA.3113 Trojan
[NOTE] The file was moved to '4ba93eb9.qua'!
C:\WINDOWS\system32\fusigoka.dll
[DETECTION] Is the TR/PCK.Tdss.AA.3054 Trojan
[NOTE] The file was moved to '4bb03edc.qua'!
C:\WINDOWS\system32\kbdsock.dll
[DETECTION] Is the TR/Agent.deot.1 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The driver could not be initialized.
[WARNING] The file was ignored!
C:\WINDOWS\system32\madubiha.dll
[DETECTION] Is the TR/PCK.Tdss.AA.3075 Trojan
[NOTE] The file was moved to '4ba13edf.qua'!
C:\WINDOWS\system32\pubufuhu.dll
[DETECTION] Is the TR/PCK.Tdss.AA.3054 Trojan
[NOTE] The file was moved to '4b9f3f17.qua'!
C:\WINDOWS\system32\drivers\maeberl.sys
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\62f070b4.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4ba33f88.qua'!


End of the scan: Thursday, December 31, 2009 19:18
Used time: 1:39:10 Hour(s)

The scan has been done completely.

9894 Scanned directories
282263 Files were scanned
12 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
282249 Files not concerned
3875 Archives were scanned
3 Warnings
13 Notes

***************************************************************************************************************************************************************************************************************************************************************************************************************


I have Avenger.exe on my pc so, if you can put together a script I could run it using this utility.

Again Thank You for your time.

Attached Files



BC AdBot (Login to Remove)

 


#2 ms_green

ms_green
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 05 January 2010 - 02:33 AM

Please close this topic.
Problem has been solved.

here is a link to a useful utility, you guys may already be aware of it.

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Process Explorer: Very useful utility.

Thanks
Shane

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:52 AM

Posted 10 January 2010 - 07:50 AM

Since this topic appears to be resolved, I will now close it. Thanks for letting us know.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users