Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems Stemming from Antivirus Plus Malware / Vundo


  • This topic is locked This topic is locked
2 replies to this topic

#1 TheMichael

TheMichael

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 05 February 2010 - 11:18 AM

Hello,

Thank you in advance to whoever chimes in to assist me in clearing up the following problems. Your time and assistance are much appreciated! If I could take you out for a beer, I would!

BACKGROUND

In downloading a music file earlier this week, I contracted a nasty virus and/or malware. First, I received numerous pop-ups from "Antivirus Plus." Second, my Anti-virus program (Symantec) spotted a Trojon.Vundo virus.

I first approached the situation by following all steps posted on the forum for removing "Antivirus Plus," available here:

Bleepingcomputer.com - Remove Antivirus Plus

While the Antivirus Plus malware has seemingly disappeared, numerous problems remain, which I believe are the result of either the Vundo or another virus. I thought my Symantec had taken care of it, but perhaps not . . .

REMAINING SYMPTOMS

Since my computer has started acting funny, I've noted several key symptoms. I'm sure there are more that I do not know about yet, but as my computer has generally degenerated in functionality, I've noted the following:

1. I cannot access GMail at all. When I attempt to open it in Firefox, I receive the following message:

Not Found

The requested URL /accounts/ServiceLogin was not found on this server.
Apache/2.2.3 (Red Hat) Server at www.google.com Po


2. I cannot log into the secure network at my work place to use the wireless. Nor am I able to search for nearby wireless signals, as my Intel PROset/Wireless program will not open.

3. iTunes will not play music. When I try to open iTunes, I receive the following message: "iTunes has detected a problem with your audio configuration. Audio/Video playback may not operate properly."

4. I've received several System32 error messages.

5. I've received numerous Messages along the lines of the following: "The instruction at '0x0162f7a0' referenced memory at '0x0162f7a0'. The memory could not be 'written'."

6. When I attempt to open certain websites, particularly off of Google searches, I am immediately re-directed to advertising/spam-type sites at different URLs.


I have provided the DDS and RootRepeal logs below, as well as two versions of the DDS "Attach" file - one from earlier this week, when I first noted the problem, and one from today. The earlier one is labeled "Attch-1" and today's version is labeled "Attach-2." I did so because I thought it would be helpful to capture some of the earlier "Event Viewer" history that may have disappeared as the week wore on.


DDS & ROOTREPEAL LOGS


DDS


DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael S at 10:36:48.58 on Fri 02/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1278 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Novatel Wireless\Mobilink\Phoenix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\Michael S\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MobiLink Lite] c:\program files\novatel wireless\mobilink\Lite.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Pvecukem] rundll32.exe "c:\windows\ojogexinoduse.dll",Startup
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: buy-internet-security10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: buy-internet-security10.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: {4249047A-C172-47EF-9153-645427387685} = 83.149.115.157,4.2.2.1,192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: app_dll.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\bo12jpj3.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: XULRunner: {2B3FCB4E-9A37-4C20-8458-8BD8E0B9B51A} - c:\documents and settings\michael s\local settings\application data\{2B3FCB4E-9A37-4C20-8458-8BD8E0B9B51A}
FF - HiddenExtension: Firefox security: No Registry Reference - c:\program files\mozilla firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2009-9-10 235648]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100129.006\naveng.sys [2010-1-30 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100129.006\navex15.sys [2010-1-30 1323568]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2009-9-10 27160]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2009-9-10 79896]
S3 ndismgr;ndismgr;\??\c:\windows\system32\ndismgr.sys --> c:\windows\system32\ndismgr.sys [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2009-9-10 22552]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2009-9-10 25112]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2010-02-02 04:34:20 39424 ----a-w- c:\documents and settings\michael s\rundll32.exe
2010-02-02 02:25:19 39424 ----a-w- c:\documents and settings\michael s\stsystra.exe
2010-02-02 02:25:19 39424 ----a-w- c:\documents and settings\michael s\stsystra .exe
2010-02-02 02:25:14 39424 ----a-w- c:\documents and settings\michael s\nwiz.exe
2010-02-02 02:25:14 39424 ----a-w- c:\documents and settings\michael s\nwiz .exe
2010-02-02 02:25:13 39424 ----a-w- c:\documents and settings\michael s\rundll32 .exe
2010-02-02 02:20:36 452 --sha-r- c:\documents and settings\michael s\ntuser.pol
2010-02-02 02:19:59 0 d--h--w- c:\windows\system32\GroupPolicy
2010-02-02 01:29:37 0 ----a-w- c:\windows\VPC32.INI
2010-02-02 00:59:15 0 ----a-w- c:\windows\Oqalohofusocacez.bin
2010-02-02 00:59:14 120 ----a-w- c:\windows\Qnucurizevuladiw.dat
2010-02-02 00:56:36 69120 ----a-w- c:\windows\system32\app_dll.dll
2010-02-02 00:56:05 39424 ----a-w- c:\windows\system32\stsystra.exe
2010-02-02 00:56:05 39424 ----a-w- c:\windows\system32\stsystra .exe
2010-02-02 00:56:05 0 d-sh--w- c:\docume~1\michae~1\applic~1\SystemProc
2010-01-29 02:34:29 0 d-----w- c:\docume~1\michae~1\applic~1\smkits
2010-01-28 22:29:41 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
2010-01-28 22:29:31 0 d-----w- c:\program files\Juniper Networks
2010-01-28 22:29:08 0 d-----w- c:\docume~1\michae~1\applic~1\Juniper Networks
2010-01-28 22:29:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Juniper Networks
2010-01-09 21:26:55 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-09 21:24:24 0 d-----r- c:\program files\Skype

==================== Find3M ====================

2010-02-03 00:19:47 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-02 02:32:44 39424 ----a-w- c:\windows\system32\nwiz.exe
2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 08:51:01 19952 ----a-w- c:\windows\system32\nvModes.dat
2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-11-20 06:38:07 319488 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-11-20 06:13:24 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 10:38:10.12 ===============



ROOTREPEAL



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/02/05 10:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB183000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\michael s\local settings\application data\mozilla\firefox\profiles\bo12jpj3.default\cache\_cache_002_
Status: Size mismatch (API: 2647426, Raw: 2645374)

Processes
-------------------
Path: C:\Program Files\Dell\QuickSet\quickset .ex
PID: 576 Status: Hidden from the Windows API!

Path: C:\Program Files\iTunes\ituneshelper .exe
PID: 1892 Status: Hidden from the Windows API!

Path: C:\Program Files\Novatel Wireless\Mobilink\lite .exe
PID: 2820 Status: Hidden from the Windows API!

Path: C:\Program Files\Skype\Phone\skype .exe
PID: 2976 Status: Hidden from the Windows API!

Path: C:\Program Files\Intel\Wireless\Bin\zcfgsvc .exe
PID: 3060 Status: Hidden from the Windows API!

Path: C:\Program Files\CyberLink\PowerDVD DX\pdvddxsrv .exe
PID: 3188 Status: Hidden from the Windows API!

Path: C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
PID: 3252 Status: Hidden from the Windows API!

Path: C:\Program Files\Apoint\apoint .exe
PID: 3436 Status: Hidden from the Windows API!

Path: C:\PROGRA~1\SYMANT~1\vptray .exe
PID: 3552 Status: Hidden from the Windows API!

Path: C:\Program Files\Internet Explorer\wmpscfgs.exe
PID: 3564 Status: Hidden from the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\ccapp .exe
PID: 3728 Status: Hidden from the Windows API!

Path: C:\Program Files\Common Files\Real\Update_OB\realsched .exe
PID: 3976 Status: Hidden from the Windows API!

Path: C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
PID: 4044 Status: Hidden from the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89b18bb8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x89b18d38

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89c1eb80

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89ac7820

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89b18728

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89c481f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xb3b8fcc0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86ff6288

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89b188c0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x89b18a48

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89abde38

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89b185a0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89c334c8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x89b19ce0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x89b1ddd0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x89c3c458

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89b19b68

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x87092090

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89b199f0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xb3b8ff20

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89b18408

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89b19500

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89c320d0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89b19878

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89a7f350

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89c1e300

==EOF==

Attached Files


Edited by TheMichael, 05 February 2010 - 12:33 PM.


BC AdBot (Login to Remove)

 


#2 TheMichael

TheMichael
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 06 February 2010 - 11:08 AM

I committed computer suicide and reformatted. Please close this post. Thank you.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:28 PM

Posted 07 February 2010 - 05:56 AM

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users