Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VUNDO.JW infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 ChrisFraser

ChrisFraser

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 08 February 2010 - 09:37 AM

I have been having trouble with a browser redirect virus for quite some time (1-2 months). AVG free picks it up as Trojan Horse VUNDO.JW, tries to clean it, requires reboot to finish the actions and upon reboot and rescan then virus is gone. The next day when scan finishes the same virus is back. I am using AVG Free 9.0 and also have installed Microsoft Security Essentials and avast, which come up clean every time. I also have installed MBAM, Spybot, SUPERAntiSpyware and HiJackThis. I no longer have installed Spyware Doctor, and several others which I cannot remember their names. I have also used online scanners McAfee and Trend Micro (I think). All without luck. I haven't seen any successful solution to my problem on the web and require assistance. I first thought that the AVG may be a false positive but I am still getting browser redirects. Any help would be appreciated.

The following is a description of what AVG finds:

C:\Windows\System32\smss.exe (280):\memory_00110000 Trojan horse Vundo.JW Moved to virus vault
C:\Windows\System32\smss.exe (280) Trojan horse Vundo.JW Reboot is required to finish the action
C:\Windows\System32\csrss.exe (452):\memory_00100000 Trojan horse Vundo.JW Moved to virus vault
C:\Windows\System32\csrss.exe (452) Trojan horse Vundo.JW Reboot is required to finish the action
C:\Windows\System32\csrss.exe (372):\memory_00100000 Trojan horse Vundo.JW Moved to virus vault
C:\Windows\System32\csrss.exe (372) Trojan horse Vundo.JW Reboot is required to finish the action

The following is what Microsoft Security Essentials finds:

Exploit:HTML/IframeRef.gen
Virus:WIN32/Alureon.f
Trojanclicker:JS/Iframe.F

Thanks!

Following are DDS and GMER files, and attached file Attach.zip

DDS (Ver_09-12-01.01) - NTFSx86
Run by Valued Customer at 10:39:55.90 on 02/08/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3583.2264 [GMT -3.5:30]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\taskhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Valued Customer\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\IoctlSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Valued Customer\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar = Preserve
uStart Page = hxxp://www.cbc.ca/nl/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [WeatherEye] c:\users\valued customer\appdata\local\theweathernetwork\weathereye\WeatherEye.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [Adobe Reader Speed Launcher] C:\adoberd.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Turbo Tax Agent] c:\windows\txagent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5838/mcfscan.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SSODL: crash_report - {495FE683-6249-4A05-8D1A-8F7CD8DF5A6D} - c:\windows\system32\crash_report.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\program files\dvd region+css free\DVDShell.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\valued~1\appdata\roaming\mozilla\firefox\profiles\juaqbce6.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-4 163280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-2 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-2 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-2 360584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-9-23 172032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-4 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-2-4 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-4 40384]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-2 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-11 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-4 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-4 40384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-11-10 1077760]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-11 135664]
S3 AV88BASE;Cx2388x Base Driver;c:\windows\system32\drivers\av88base.sys [2009-11-18 441088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-02-08 13:38:50 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-08 13:38:19 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-06 15:16:25 304128 ----a-w- c:\windows\IsUninst.exe
2010-02-06 15:12:38 0 d-----w- C:\CanoScan_N650U_N656U_CSUv571a
2010-02-05 00:38:35 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-02-05 00:38:10 0 d-----w- c:\programdata\Alwil Software
2010-02-04 21:33:12 0 d-----w- c:\program files\iPod
2010-02-04 21:33:11 0 d-----w- c:\program files\iTunes
2010-02-03 17:14:46 21584 ------w- c:\windows\system32\drivers\atapi.sysA1CA0BC6
2010-02-03 17:14:27 21584 ------w- c:\windows\system32\drivers\atapi.sys2C31C847
2010-02-03 17:04:27 21584 ------w- c:\windows\system32\drivers\atapi.sysEAF35975
2010-02-03 16:54:25 21584 ------w- c:\windows\system32\drivers\atapi.sys7BEEB7EA
2010-02-03 16:23:35 21584 ------w- c:\windows\system32\drivers\atapi.sys686D65E5
2010-02-03 16:18:53 21584 ------w- c:\windows\system32\drivers\atapi.sys7428EE9D
2010-02-03 16:08:45 21584 ----a-w- c:\windows\system32\drivers\atapi.sys898723C5
2010-02-03 13:59:01 0 d-----w- c:\users\valued~1\appdata\roaming\Intuit Canada
2010-02-03 13:58:37 0 d-----w- c:\program files\common files\AnswerWorks 4.0
2010-02-03 13:58:36 0 d-----w- c:\program files\common files\Intuit
2010-02-03 13:58:24 0 d-----w- c:\program files\QuickTax 2009
2010-02-03 13:58:07 0 d-----w- c:\programdata\Intuit Canada
2010-02-03 13:57:10 715242 ----a-w- C:\adoberd.exe
2010-02-03 13:57:05 632699 ----a-w- c:\windows\txagent.exe
2010-02-03 09:45:42 21584 ------w- c:\windows\system32\drivers\atapi.sys30C7F997
2010-02-03 09:35:41 21584 ------w- c:\windows\system32\drivers\atapi.sys51CBFCB3
2010-02-03 09:25:40 21584 ------w- c:\windows\system32\drivers\atapi.sys9CBADD67
2010-02-03 08:45:36 21584 ------w- c:\windows\system32\drivers\atapi.sysF4AD2975
2010-02-03 08:25:34 21584 ------w- c:\windows\system32\drivers\atapi.sysED4C7C18
2010-02-03 07:35:25 21584 ------w- c:\windows\system32\drivers\atapi.sysB0D831CB
2010-02-03 07:25:17 21584 ------w- c:\windows\system32\drivers\atapi.sys99DBC81C
2010-02-03 07:03:17 21584 ------w- c:\windows\system32\drivers\atapi.sys4F70CD06
2010-02-03 06:40:39 21584 ------w- c:\windows\system32\drivers\atapi.sys110A6B8D
2010-02-03 06:20:37 21584 ------w- c:\windows\system32\drivers\atapi.sysA0AADED2
2010-02-03 05:40:32 21584 ------w- c:\windows\system32\drivers\atapi.sys42C01BEB
2010-01-27 08:50:22 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-27 08:50:22 2614272 ----a-w- c:\windows\explorer.exe
2010-01-23 21:56:28 0 d-----w- c:\users\valued~1\appdata\roaming\DriverFinder
2010-01-23 19:24:07 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-22 23:56:56 0 d-----w- c:\programdata\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
2010-01-22 01:15:28 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-13 07:43:05 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 07:43:05 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-10 19:17:08 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

==================== Find3M ====================

2010-02-03 17:32:44 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 14:42:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 18:26:51 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-07 19:37:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 19:37:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 00:19:32 231284 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-02 17:09:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-02 17:09:54 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-02 17:09:50 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-26 22:38:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-12-24 16:39:38 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-24 16:39:31 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 02:19:15 794408 ----a-w- c:\windows\system32\pbsvc[1].exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 09:37:56 536576 ----a-w- c:\windows\system32\crash_report.dll
2009-11-30 15:56:04 1712201 ----a-w- c:\windows\system32\InetClnt.dll
2009-11-14 21:37:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-11 19:00:17 87608 ----a-w- c:\users\valued~1\appdata\roaming\inst.exe
2009-11-11 19:00:17 47360 ----a-w- c:\users\valued~1\appdata\roaming\pcouffin.sys
2009-11-11 18:48:40 3328 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp AAC Encoder.dat
2009-11-11 18:48:28 2930 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Multi Encoder] Codec.dat
2009-11-11 18:48:17 1844 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
2009-11-11 18:48:13 2228 ----a-w- c:\windows\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
2009-11-11 18:48:11 11473 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat
2009-11-11 18:48:04 3008 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp WavPack Codec.dat
2009-11-11 18:47:56 3030 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2009-11-11 18:47:49 3152 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2009-11-11 18:47:41 3107 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2009-11-11 18:47:34 2951 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-11-11 18:47:27 2843 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
2009-11-11 18:47:15 3149 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2009-11-11 18:46:44 3311 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Windows Media Audio 9 Codec.dat
2009-11-11 18:46:08 3175 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Utilities.dat
2009-11-11 18:45:53 3590 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-11-11 18:44:04 8457 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2009-11-11 18:44:00 13281 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-11-10 14:13:15 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 10:41:01.25 ===============


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2010-02-08 10:57:04
Windows 6.1.7600


---- System - GMER 1.0.14 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8323FAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8323F104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8323F3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832282D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83227898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8323F1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8323F958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8323F6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8323FF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832401A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x9233D52A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x9233D34E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x9233D488]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI_HAL \Device\000000ba halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ????????????????????????????????????*6to4mp?????? ?????????????????????1????????????????????? ?????????????????????1????????????????????????? ???????/?????????????,??????(?????????????? ??????????????????????????? ???????/?????????????-??????????????????????A?????? ?????????????????????-??"???&???????????????????????????*????????????????n????Port_#0001.Hub_#0005????? ?????????????????????-????????????????????????????USB\VID_0409&PID_005A&REV_0100?USB\VID_0409&PID_005A????? ??????????????????USB\Class_09&SubClass_00&Prot_00?USB\Class_09&SubClass_00?USB\Class_09????????N????????????D????{f60ceae6-edc4-11de-be94-c0a2afe3ab1d}??????? ?????????????????????1??L????????? ???????????? ?????????????????????1????????????&????????????????????????????????????????d??????????*6to4mp?cb???????????-??eb???????????8??????? ??????????????N???*6to4mp????????????????????s????????????????????? ???????5??????????@??-??"?????p?*?????????{4d36e972-e325-11ce-bfc1-08002be10318}?7-0?????? ?)?????????????? ????????????????????????????$
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Route ????Cu??????????????D???? p??????????????????????????????????????????????????5??CE??????????????????Microsoft 6to4 Adapter #36?6?2??? ??????????????tD??????????????5A???????????3??9e??Microsoft???????????????????????????@nettun.inf,%msft%;Microsoft?{??????os??t???????????????4m??A1??????{E??????????????????????????6.1.7600.16385??????*6to4mp??????????????????t??{4d36e972-e325-11ce-bfc1-08002be10318}\0049?43???????????7??0.???????????E??4D???????????}???e??????????????????????????????????????A4???????????B???????????s???e????X??????/?????????? 2??6to4mp.ndi?????????f?????????????????????f?f?|??????????????????????????????????????????????????????ro????6?????????????????????????????sr????N??????4?????D-5??? ???????a??????xl?????????????????s?????????????????????????????A???"???????,"?????????A4??int?_T??????????????????????????????????????????????????????gendisk?????? ?????????????????????-??"?????p???????????????????????????????A4??6.1.7600.16385?0CC????X??????|???t??????????????#????????????l??be?????????????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ????F8??? ???????}???????????n????????"???M?????????78??MSAFD NetBIOS [\Device\NetBT_Tcpip6_{F458E8F5-CFE2-43F1-9B77-D4B9BF8C39E1}] SEQPACKET 74?-???????????2????????mBF8????N??????}????D??}???????????????????????????????????e???e???????????8???????????????????????0????????????8????????????e??????????????*??????A?????????nCE??????4A????<??????B??????? ?????????????????????-????????P???????{A???????????6?????s97????N??????C????D?A7?????? ????_???????B????$??????e??????????ROOT\*6TO4MP\0025??????????????????d?????????????}??????????? ??????????????????????????????<??????iAF??? ???????????????????????????????????????p??Type?????? ??????8????c7-A???? ??????}??\0??? ?????????????????????1?????????????????????????????4??rb??? ?????????????????????1????????????&????????????????????.??? ?????????????????????1????????????????????? ?????????????????????1????????z???????????????????????C:????z??????\??39??nettun.inf:Microsoft.NTx86:6to4mp.ndi:6.1.7600.16385:*6to4mp?0???????????C???e??tunnel?6a3??? .????????????Con??Mic
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Bind ????56??????????????????????????????? ??????????????????????????????`????????e??? P??????_?????VPN??{4DDC8EF2-EFF4-4B15-8519-03C11473BA54}??RO????*??????I????dT\0??TCPIP6TUNNEL?Tcpip6?????\Device\{4DDC8EF2-EFF4-4B15-8519-03C11473BA54}??????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8197E72A-54C5-4A11-95EA-C8078985469A}] SEQPACKET 67????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B32B1917-2E1A-4D35-BE07-F96395A0E0DA}] SEQPACKET 66?2??? ????????????????????????????"???o?????????A-??MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B32B1917-2E1A-4D35-BE07-F96395A0E0DA}] DATAGRAM 66???????`?????????????? ?????????????????????1????????????????????? ???????????????????k?1???????????????????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Route ?????\???????????d??&0???????????????????}???????????????????????2??????22??Microsoft????????????????????????????? ??????????????????????F??C}???????????????????????????4??0???{4d36e972-e325-11ce-bfc1-08002be10318}???1??? ???????D?????7-0??????????nettun.inf?\De??? ??&????O??????xM??{4d36e972-e325-11ce-bfc1-08002be10318}\0051???????6?????????????16??*6to4mp?Pr??????????????,????????????0??43???????????2??-F???????????f???f??{4d36e972-e325-11ce-bfc1-08002be10318}??????{4d36e972-e325-11ce-bfc1-08002be10318}\0052?ca????z??????T??ip??6.1.7600.16385?1A7???????????????????????????E??99????N??????3????Ds.e??????????????0?????N????????????DBa?????????????????????????????? ?????????????????????.?????????????tunnel???????????????E??}"?????? ?????N???????????D??????????????b??cp??????\C??6.1.7600.16385??5???6to4mp.ndi?\De????z??????9??0C???????????????????4???e???????????-??4E??????????????????????????????????????????_N????z??????7??8-????X??????0???t??????oo??6-21-2006???{745a17a0-74d3-11d0-b6fe-00a0c90f57da}?A0D?????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ????????????os??t???.NT??????????????t??in????????????????????????????????????z??????l??s_????6?????????????????????????????text?r??????????nettun.inf:Microsoft.NTx86:6to4mp.ndi:6.1.7600.16385:*6to4mp????nettun.inf:Microsoft.NTx86:6to4mp.ndi:6.1.7600.16385:*6to4mp?4????.????????????????z????????????????????????so???-??Microsoft???? ?????????????????????1????????????????????? ???????????????????z?1????????????????????????????? ?????????????????????1????????????????????????????????s???????????????????????????????????????????????????????????????LegacyDriver????11?58A??? B?????????????????????????????????????????????????????????Microsoft???????????????????????????? ?????????????????????1?????????????????????????????g?k?k?k?k???k??????????????*6to4mp??????k?k???l?????????????????????????6?????????36A??????????????0-??????????????????????<?????????????h??????r??nt??????????????ro??????6-21-2006?????4??????????t??@%windir%\system32\inetsrv\iisres.dll,-30011?c???????????_???????{???????????5????????m?MS??????????? ?
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Bind ???k?t???????????k??? ???????k?????k?????k?-???????????????????C??????N??k???M????Dr-A??? ???????k???????????k?-????????Z?????????????N??k???c????D2Ad?????????????????k?&??????????????????????HIDClass?C??????????????????????@k?k?k?k????s????????????D?????s\a??Microsoft????????????????????? ??h??????????? ???????k?????k?????k?-??????????,? ????????????????????????????????????????k??? ???????k?????k?????k?-?????????????????????E??? ???k??????????????? ???????k???????????k?-????????b????????????????k???d??s2?????????????????s???????k?&??? ???????k???????????k?-????????\???????????HidUsb???????????k??????s????????????D?????s\a???????????D???E???? ??e???????e??{8ECC055D-047F-11D1-A537-0000F8753ED1}?000??LegacyDriver?????????k???*???e???k???k?l?l?????????????????????k?&??{00000000-0000-0000-0000-000000000000}??&????h?k?k?k?k???k???k???????????L??BR???????8??STORAGE\Volume???????}?|?}??LegacyDriver????????????????????????? ???????k???????????k?-????????\???????????Network??????k?k?8???????k??????s????????????k???k?
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Route ???t?????????????????~??????????????????????????Net?S????????????????t???t???s?s?s?s?s??????????????????System32\Drivers\ksecdd.sys??????????s???0??e2???????????????????????B??????????????????????????? ???????s???????????s????????,????? ???????????????????????????????????????d???????????????e????????s??????????????????KeyboardClass??????????????????????????????????????????????????????s????? ???????o?????s????????????????T???????????????????????p????? ??j??????p??????????????g??????????????????????????8??s????????h???????8??s????????h??????????????? t?????t?????????????g???????????????g?????????s??????p????w?xp?????(??s?????????e????LocalSystem??????????????????????????????s??Cryptography????system32\DRIVERS\kbdhid.sys?\kbdhid.sys??????????t???u??? ?????????????????????? ????????????t??????????????? ???????s???????????s?????????????? ???????????? ???????o?????t?????t??????????@?????????????"??t?????????e????@keyiso.dll,-100??????@??t????????h?????%SystemRoot%\system32\lsass.exe???????"??t?????????n????@keyiso
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???t?t?????????????? ????????????????t???????????e??SamSS?Srv?????????,??t???????????????????????????????????????t??????????????????SeChangeNotifyPrivilege?SeImpersonatePrivilege?SeAuditPrivilege?SeLoadDriverPrivilege????????t?t?t?t?t?t?t?t?t?t?t??????????????????????????? ???????u???????????t?????????????? ?????????????????????????y?????? ???????o?????t?????|??????????R???????????? *??|??????????p????????|???|?????t????????????????????????????????t?????????????????????$?????????p????u??????e????v?v?v??RpcSs????????????????????????????????t??????p????????y???????y???n???????????????????,???,????8???????????h?????Extended Base????????l??????p????????y????<??t?????????e???????????????????????????????????? A???????????}??? ???????t?????????????????????????? ???????????? ???????o?????u?????u????????$???????????????J??t?????????e????@%SystemRoot%\system32\pcasvc.dll,-1?????????????????????????????t????????h?????%systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted????u?u?u???t?????? ?????????????J??t?
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Bind ???t?t???????????????????5??????????????????????????????????t????????t???????e??????????????????????t???????????????? ???????o??????????????????????:????????g????:??t????????h??????????????????????????,???????????????????????????????????y?????????????g?????????????d?????????V2A???????t???????????????y???n???????t?????????????t1???Net??|???????*??? ???????o?????t?????t????????@?????????m?????$??t?????????e????@comres.dll,-2946????????t????????h?????%SystemRoot%\System32\svchost.exe -k NetworkServiceAndNoImpersonation?????$??t?????????n????@comres.dll,-2947???? 8??t??????????????NT AUTHORITY\NetworkService??????????????????????????????????????????????t?????????????? ????????????????t???????????e??RPCSS?SamSS???????,??t????????????????????????????????????2??t??????????????????SeChangeNotifyPrivilege?????? F??t???????????????t??? ???????????????????????????????????????????????????t?t?t?t?t?t?t?t?t?t?t?t????? ???????t???????????t????????,?F??? ???????????%systemroot%\system32\msdtckrm.dll????????"??t?????????n???
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Route ???t?t???????y???????????????r?????????????g ?????<??t??????????????\SystemRoot\system32\drivers\luafv.sys???????????????????????????????t?u??????\??t?????????n?????????t????????????B??w?????????e??????R?????????????????????????? ???????t????????????????????:?B??? ????????????????k??????????????????????t???? ???????????????:????????????????????????s?????usbprint????????????????????????????tunnel???????????y???????????????t?t?t?t?????t??????????????????????????????????????????????????????????????t???MBRES???"{AF591081-B356-4F8E-97A7-A0D7606DCEBB}"?????t??\Device\{AF591081-B356-4F8E-97A7-A0D7606DCEBB}????????n??t???_??????????????????t???????S????t?????s???s???s???t???t???t???t????? ???????t??????????????????????????????????????? ???????t?????t????????????????????????????? ???????t?????????????????????????????????????t????? ???????o?????t?????t????????$???????????????n?????@%systemroot%\system32\wkssvc.dll,-100???????? ??t??????p???NetworkProvider???????h??t????????h?????%SystemRoot%\System32\svchost.exe -k Ne
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ?????????????~??????????????????????????Net?S????????????????t???t???s?s?s?s?s??????????????????System32\Drivers\ksecdd.sys??????????s???0??e2???????????????????????B??????????????????????????? ???????s???????????s????????,????? ???????????????????????????????????????d???????????????e????????s??????????????????KeyboardClass??????????????????????????????????????????????????????s????? ???????o?????s????????????????T???????????????????????p????? ??j??????p??????????????g??????????????????????????8??s????????h???????8??s????????h??????????????? t?????t?????????????g???????????????g?????????s??????p????w?xp?????(??s?????????e????LocalSystem??????????????????????????????s??Cryptography????system32\DRIVERS\kbdhid.sys?\kbdhid.sys??????????t???u??? ?????????????????????? ????????????t??????????????? ???????s???????????s?????????????? ???????????? ???????o?????t?????t??????????@?????????????"??t?????????e????@keyiso.dll,-100??????@??t????????h?????%SystemRoot%\system32\lsass.exe???????"??t?????????n????@keyiso.dll,-10

---- EOF - GMER 1.0.14 ----

Attached Files


Edited by ChrisFraser, 08 February 2010 - 01:34 PM.


BC AdBot (Login to Remove)

 


#2 ChrisFraser

ChrisFraser
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 13 February 2010 - 01:57 PM

Please disregard the above. SInce the middle of last week there has been an update (Microsoft, AVG, ?) and the virus and redirects are no longer happening. There has finally been a fix!!!!!!!! smile.gif

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:21 AM

Posted 15 February 2010 - 11:44 AM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users