Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe / Vundo Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 PControl

PControl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 30 January 2010 - 10:26 AM

Hello,

Around a week ago, my computer started having random pop-ups occur, usually when I opened Firefox. After typing the name of the most common in a search engine, (which was something like "media2.tmlatn") I found people on your forums who were having the same trouble as myself. I used some of the instructions on someone's forum, which led me to download "SUPERAntiSpyware" and "ATF-Cleaner". After using both, I thought the problem would disappear; however, I was wrong.

The main pop-up ("media2.tmlatn") was gone, but more kept appearing. After searching around my computer a little, I realized that it was most definitely viruses/malware. My "Automatic Updates" was turned off, and I wasn't notified. After turning the Automatic Updates on again, I waited for about 10 minutes, then checked again. It was turned off. Also, in Task Manager, two programs catch my eye on the "Processes" tab. One is "MsMpEng.exe" and the other "svchost.exe". The "MsMpEng.exe" program is one I do not recall seeing before the problems started, and it was using up an absurd amount of processing power. The other, "svchost.exe", caught my eye because it had multiple listings on my Task Manager. For instance, right now there are 9 different listings for this program under "Processes" in Task Manager.

Realizing I needed real virus/malware protection, I proceeded to download Microsoft's Security Essentials. Preparing to run a full virus scan, I downloaded the definitions, but I ran into an error (I assume the virus's doing". I downloaded them manually, and then ran the virus scan.

Immediately it found two programs that it thought was interfering, and asked me to "Clean Computer" to get rid of them. About 3 minutes after clicking on it, I got an error report saying basically that it couldn't be removed. I then rebooted into safe mode (after my computer froze with the effort of all this) and tried again. This was late at night, and everything seemed to be going well, so I left it to finish the scan and go to bed. When I got up this morning, it was idle at the normal log-in screen. When I logged in, a dialog box popped up saying the computer had suffered from a "serious error" and had to reboot. As soon as I opened Firefox, another pop-up came up, proving that the scan had been crashed.

I am not sure where to turn for all this, so if someone could lend me some help, it would be GREATLY appreciated. Thank you.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:16:07.87 on Sat 01/30/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.99 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [kezefidir] Rundll32.exe "c:\windows\system32\tudoniga.dll",a
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: mibewoja.dll c:\windows\system32\zurubuti.dll c:\windows\system32\tudoniga.dll,heyuzeve.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: zevonisin - {3b799c20-b474-4bd4-a563-7f7f65ac9d1a} - c:\windows\system32\jalopeya.dll
SSODL: tufubalil - {1b4d529a-ea1b-419f-ba33-520e7040ef91} - c:\windows\system32\jalopeya.dll
SSODL: gutuzarah - {f0d5fdef-e7c6-415b-8623-497938a49639} - c:\windows\system32\tudoniga.dll
STS: mujuzedij: {3b799c20-b474-4bd4-a563-7f7f65ac9d1a} - c:\windows\system32\jalopeya.dll
STS: kupuhivus: {1b4d529a-ea1b-419f-ba33-520e7040ef91} - c:\windows\system32\jalopeya.dll
STS: kupuhivus: {f0d5fdef-e7c6-415b-8623-497938a49639} - c:\windows\system32\tudoniga.dll
LSA: Notification Packages = scecli tosofove.dll muluzida.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\j1gbcqpc.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/?fr=fptb-yff35
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
S1 gnktdpcd;gnktdpcd;\??\c:\windows\system32\drivers\gnktdpcd.sys --> c:\windows\system32\drivers\gnktdpcd.sys [?]
S1 nqobqlyb;nqobqlyb;\??\c:\windows\system32\drivers\nqobqlyb.sys --> c:\windows\system32\drivers\nqobqlyb.sys [?]
UnknownUnknown aainbsad;aainbsad; [x]
UnknownUnknown brkryrmt;brkryrmt; [x]
UnknownUnknown uvfbegse;uvfbegse; [x]

=============== Created Last 30 ================

2010-01-29 23:43:33 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-29 23:28:32 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-27 22:34:46 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-27 22:34:25 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 22:34:25 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-01-23 20:47:21 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-23 20:47:21 1409 ----a-w- c:\windows\QTFont.for
2010-01-06 22:37:30 482 ----a-w- c:\windows\cdplayer.ini

==================== Find3M ====================

2010-01-21 18:07:51 39 ----a-w- c:\documents and settings\owner\jagex_runescape_preferences.dat
2010-01-21 18:06:16 69 ----a-w- c:\documents and settings\owner\jagex_runescape_preferences2.dat
2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 22:39:07 46848 ----a-w- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-12-15 21:38:08 148 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2009-12-09 00:12:23 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
1601-01-01 00:03:28 42496 --sha-w- c:\windows\system32\buzatobo.dll
1601-01-01 00:03:28 61952 --sha-w- c:\windows\system32\munigibo.dll

============= FINISH: 10:16:58.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:28 PM

Posted 07 February 2010 - 10:53 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 PControl

PControl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 07 February 2010 - 01:17 PM

My family decided to get another computer (after several unsuccessful system recoveries) Thank you for your time and attempting to fix this problem however.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:28 PM

Posted 07 February 2010 - 01:21 PM

Thanks for letting us know thumbup2.gif

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users