Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Variant-Nx and Variant-EC


  • This topic is locked This topic is locked
19 replies to this topic

#1 builderboy

builderboy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 01 April 2010 - 08:51 PM

Hello Gracious Folks,

I have been struggling with some bad computer infections that my tools can't seem to remove. It is characterized by browser hijacks, redirects, ads for hoax anti-malware, etc. I offer my humble thanks in advance for the assistance.

Here is my DDS.txt log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tony Oliva at 20:44:56.51 on Thu 04/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.515 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\Tony Oliva\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {e44d1927-50ec-4ad3-93af-4d95b1ffde69} - tehumihe.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [busawurebi] Rundll32.exe "durunora.dll",s
mRun: [paguworav] Rundll32.exe "c:\windows\system32\fafivolo.dll",a
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/oneclickfix/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248959261078
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\saparole.dll c:\windows\system32\wovahova.dll yuhisona.dll tehitege.dll c:\windows\system32\gomuliwe.dll c:\windows\system32\pigetome.dll c:\windows\system32\fafivolo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: dogisinas - {9066e65b-57b3-49d9-821d-6ccf85fae63b} - c:\windows\system32\saparole.dll
SSODL: mijejoriw - {b79fbd2e-8169-4374-9a70-eb085d94e126} - c:\windows\system32\pigetome.dll
SSODL: zewijujuw - {79dbcffa-7892-4839-b0cd-ae976a2b2d69} - c:\windows\system32\pigetome.dll
SSODL: gusogazul - {053e26c2-2726-4cfc-9de8-1d6df498c439} - c:\windows\system32\fafivolo.dll
SSODL: sasisufek - {7d264863-ee38-44a8-8c6a-e651149a9150} - c:\windows\system32\fafivolo.dll
SSODL: wefulowud - {d1c767ce-7c7b-49d8-bf44-c5b89a57611c} - c:\windows\system32\pigetome.dll
STS: jugezatag: {9066e65b-57b3-49d9-821d-6ccf85fae63b} - c:\windows\system32\saparole.dll
STS: gahurihor: {b79fbd2e-8169-4374-9a70-eb085d94e126} - c:\windows\system32\pigetome.dll
STS: mujuzedij: {79dbcffa-7892-4839-b0cd-ae976a2b2d69} - c:\windows\system32\pigetome.dll
STS: kupuhivus: {053e26c2-2726-4cfc-9de8-1d6df498c439} - c:\windows\system32\fafivolo.dll
STS: tokatiluy: {7d264863-ee38-44a8-8c6a-e651149a9150} - c:\windows\system32\fafivolo.dll
STS: mujuzedij: {d1c767ce-7c7b-49d8-bf44-c5b89a57611c} - c:\windows\system32\pigetome.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli nivedusa.dll tehitege.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tonyol~1\applic~1\mozilla\firefox\profiles\i783oxlx.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {C1FB68A2-A4D9-4D49-8FF8-F58D3D85CC05} - c:\documents and settings\tony oliva\local settings\application data\{C1FB68A2-A4D9-4D49-8FF8-F58D3D85CC05}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-2 11520]

=============== Created Last 30 ================

2010-04-02 00:37:58 0 ----a-w- c:\documents and settings\tony oliva\defogger_reenable
2010-03-15 20:34:31 0 d-----w- c:\program files\DreamCatcher

==================== Find3M ====================

2010-03-16 17:57:14 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-07-30 02:59:22 1234120 ----a-w- c:\program files\wrar380.exe
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\bopoyufi.dll
1601-01-01 00:12:31 61952 --sha-w- c:\windows\system32\durunora.dll
2010-01-01 13:32:58 101376 --sha-w- c:\windows\system32\fafivolo.dll
2010-01-01 13:32:58 47616 --sha-w- c:\windows\system32\fevahiva.dll
1601-01-01 00:03:28 101376 --sha-w- c:\windows\system32\gomuliwe.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\huvehibi.dll
1601-01-01 00:03:28 101376 --sha-w- c:\windows\system32\pigetome.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\pozowaha.dll
1601-01-01 00:12:31 61952 --sha-w- c:\windows\system32\tehumihe.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\tejekuru.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\yedibona.dll
1601-01-01 00:03:28 70144 --sha-w- c:\windows\system32\zelayira.dll

============= FINISH: 20:48:44.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:42 PM

Posted 05 April 2010 - 05:41 PM

Hi builderboy, and welcome to Bleeping Computer.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 06 April 2010 - 06:20 AM

Hi snemelk,

Thanks for getting back to me. I will have an opportunity to download and run Combofix this afternoon, and will post after having done so.

- builderboy

#4 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 06 April 2010 - 08:07 PM

Hello snemelk,

I have run ComboFix and here is the log attached. I don't think that it entirely removed the problem, as I experienced a pop-up when I opened the browser to make this posting.

-builderboy

Attached Files



#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:42 PM

Posted 07 April 2010 - 05:19 AM

Hi again builderboy!!.. smile.gif..

QUOTE
I don't think that it entirely removed the problem, as I experienced a pop-up when I opened the browser to make this posting.

Yep, still a little to do... By the way - this machine was quite heavily infected - it had multiple infections "on board"... You need to protect it better in the future...

Firstly,
Open Notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/306520/vundovariant-nx-and-variant-ec/

Collect::
c:\documents and settings\Tony Oliva\Local Settings\Application Data\1732168344.dll
c:\windows\system32\dakuzuso.dll
c:\windows\system32\fesisone.dll
c:\windows\system32\jikotato.dll
c:\windows\system32\tehumihe.dll
c:\windows\system32\vulademu.dll
c:\windows\system32\zelayira.dll
Suspect::
c:\program files\wrar380.exe
Folder::
c:\documents and settings\Tony Oliva\Local Settings\Application Data\{C1FB68A2-A4D9-4D49-8FF8-F58D3D85CC05}
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e44d1927-50ec-4ad3-93af-4d95b1ffde69}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"paguworav"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{3a1a527b-0c85-492f-800f-8665ee8b2a9c}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"lorutodol"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
Firefox::
FF - ProfilePath - c:\documents and settings\Tony Oliva\Application Data\Mozilla\Firefox\Profiles\i783oxlx.default\
FF - HiddenExtension: XUL Cache: {C1FB68A2-A4D9-4D49-8FF8-F58D3D85CC05} - c:\documents and settings\Tony Oliva\Local Settings\Application Data\{C1FB68A2-A4D9-4D49-8FF8-F58D3D85CC05}


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Secondly,
I do not see an antivirus program running on your computer... Without an AV, you have no protection and risk being quickly re-infected... Please install an antivirus program of your choice, run a full system scan with it, and post a log (if possible)... You may want to install one of the antivirus applications I recommend on my site: link

Thirdly,
I see you have no firewall installed and your Windows Firewall is disabled... This is dangerous... Please either install a firewall (for example from one of the firewalls I recommend) or enable a Windows Firewall (details on my page: Recommended protection programs)...

Finally, after installing an AV and firewall (or enabling Windows Firewall), please perform a scan with DDS - post the fresh logs...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 08 April 2010 - 07:04 AM

Hello again, snemelk....a smile right back atcha! Thanks for persevering through this with me. I have done the script and re-run ComboFix as directed, the log attached here.

I have gone to your link on antivirus programs and firewalls, and will do that subsequent to this post.

p.s. - I note that there is a windows system message at startup where is is still trying to load one of the suspect dll's, duranona, but can't find it. Is there a way to get this out of the registry so that Windows won't be searching for this stinker?

Big thanks, and I will post step 2 (rerun DDS after install of firewall & AV) likely in the next day or so (busy, busy)

Your indebted friend,
Builderboy

Attached Files



#7 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 08 April 2010 - 01:29 PM

Hi snemelk,

I am in the process of completing the next step, and assumed that I should run an AV scan prior to running DDS. I am 1.5% thru the scan, and see that it has already caught 31 detections, including TR/Patched Gen and, obviously, others.

I did not mention it, but when I dragged the script onto the ComboFix icon and the program commenced (before my last posting), I was prompted that there was a newer version of ComboFix available, and did I want to download it. I declined, given that I now trust 0% of the pop up messages that my machine gives.

This kind of stuff leads one to despair... sad.gif This scan will apparently take a good while to complete, so I will post tomorrow sometime.

#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:42 PM

Posted 08 April 2010 - 04:55 PM

Hi again builderboy!!.. smile.gif.

QUOTE(builderboy @ Apr 8 2010, 02:04 PM) View Post
p.s. - I note that there is a windows system message at startup where is is still trying to load one of the suspect dll's, duranona, but can't find it. Is there a way to get this out of the registry so that Windows won't be searching for this stinker?

An infection tried to regenerate - it's probably just a leftover - we'll deal with it with a CFScript...

QUOTE(builderboy @ Apr 8 2010, 08:29 PM) View Post
I am in the process of completing the next step, and assumed that I should run an AV scan prior to running DDS. I am 1.5% thru the scan, and see that it has already caught 31 detections, including TR/Patched Gen and, obviously, others.

thumbup2.gif Post the logs when ready...

Please do the following after running a scan with your AV:
Delete your current copy of ComboFix - delete a file from your Desktop... Then download the newest version from one of the links below:
Link 1
Link 2

Then,
Open Notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/306520/vundovariant-nx-and-variant-ec/

Collect::
c:\windows\system32\hoganova.dll
Suspect::
c:\windows\system32\SET30.tmp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"busawurebi"=-


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Then,
We need to upload a few malware files.
Download upload.bat to your Desktop.
Then open Notepad and copy and paste next present in the codebox:
CODE
http://www.bleepingcomputer.com/forums/t/306520/vundovariant-nx-and-variant-ec/
"c:\Qoobox\Quarantine\c\documents and settings\Tony Oliva\Local Settings\Application Data\{C1FB68A2-A4D9-4D49-8FF8-F58D3D85CC05}"

Save this as upload.txt , and place it on your Desktop.

Doubleclick upload.bat and let the script run. A Notepad window with a logfile will open, you may close it. Then a browser window should pop-up, submit a Files_for_submission.zip file (created in the same directory you saved upload.bat at) - browse to that file and click Send File. You may leave two other boxes blank.
Let me know if the file has been uploaded successfully or note any errors encountered.

Then,
In a previous run, ComboFix zipped some files for analysis... However, as far as I can see, this zipped file has not been uploaded yet... Please browse to this folder: C:\Qoobox\Quarantine\ and submit every file with name of this format: [4]-Submit_date_time.zip to this site: Submit Malware Sample (browse to the file and click Send File; other boxes may be left blank)... Let me know if this step was successfull - it's important...

Finally, post the logs from your AV (if possible) and fresh DDS logs... smile.gif..
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 08 April 2010 - 09:29 PM

Hi snemelk!

Here are the DSS logs you requested. I will redo the ComboFix with the new script a little later. I am SO relieved that you have hung in with me on this arduous journey! thumbup.gif

post to you again soon...

yours appreciatively,

-builderboy

Attached Files



#10 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 08 April 2010 - 09:52 PM

One more for tonight...here is the ComboFix log from your prior direction.

A question for you, snemelk: In your next instructions, you direct me to download 'upload.bat' to my desktop, which I have done. You then tell me to "Then open Notepad and copy and paste next present in the codebox:" Do you mean that I should copy the text that is in the codebox into Notepad, then save it as 'upload.txt' ?

And when I run upload.bat, and the browser window opens, it sounds like the window prompts me to submit a file to upload, and I should direct it to a file that has been created on my desktop, named Files_for_submission.zip, which should be on my desktop.

Did I get that right? It's late and my comprehesion is a bit dulled at this hour.

I will look for your reply post,

Off to bed for me...thanks once again for the help

- builderboy

Attached Files



#11 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:42 PM

Posted 09 April 2010 - 06:46 PM

Hi again builderboy!!.. smile.gif.

Logs look much better now!.. thumbup2.gif I reckon no problem persists??..

QUOTE(builderboy @ Apr 9 2010, 04:52 AM) View Post
A question for you, snemelk: (...)
Did I get that right? It's late and my comprehesion is a bit dulled at this hour.

Yep, you got this right!.. smile.gif.

Let's take care of outdated programs on your machine:

I see you're running: Adobe Acrobat 7.0 Professional - as far as I know this version is pretty outdated and has serious security vulnerabilities... Please either update that Professional version to the newest release of the program or install the latest version of Adobe Acrobat Reader (from here: http://www.adobe.com/products/acrobat/readstep2.html ) in such a way, it is used when browsing a web... (I believe versions 7.0 and 9.3.1 can be installed together)...

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

Finally, please post the fresh Gmer logfile!.. smile.gif..
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#12 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 10 April 2010 - 04:42 PM

Dear snemelk,

I have:

- uploaded the Qoobox/Quarantine file that you requested,

- removed old Adobe Reader and updated to 9.3.1,

- done the whole upload.bat process.

I am trying to run a fresh gmer log for you, but keep running into an annoying phenomenon of my screen going black after starting gmer. Am I supposed to disable firewall and AV for that process? Online Armor asks me a million questions about allowing things that I am ill prepared to answer. wacko.gif

thanks for the patience.

-builderboy smile.gif

#13 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:42 PM

Posted 11 April 2010 - 04:46 AM

Hi again builderboy!!.. smile.gif.

Thanks for the uploads...

QUOTE(builderboy @ Apr 10 2010, 11:42 PM) View Post
I am trying to run a fresh gmer log for you, but keep running into an annoying phenomenon of my screen going black after starting gmer. Am I supposed to disable firewall and AV for that process? Online Armor asks me a million questions about allowing things that I am ill prepared to answer. wacko.gif

In some cases, protection programs may interfere... Please disconnect from internet, disable protection programs (instructions here: link) and run a scan with Gmer as instructed in the "Preparation guide"... smile.gif..
I need that scan to make sure we leave nothing behind!..
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#14 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:42 PM

Posted 19 April 2010 - 02:49 PM

Hi again builderboy!!.. smile.gif..

Have you managed to run a scan with Gmer?..
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#15 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 21 April 2010 - 07:06 PM

Hi snemelk! smile.gif

Sooo sorry I have been away! I did run GMER, but failed to capture the log at the conclusion (failed to remember that part... blink.gif ), and so am running it AGAIN as we speak. Will post later tonight.

I do have a question for you, tho. I loaded Avira and Online Armor, as you advised, but got a message from Online Armor that Avira's update.exe file had been replaced, and did I trust the new file? PANICK! My initial scan with Avira showed that there was still bad stuff, so ...?

I am sure the Gmer log will tell you more...

Your friend with the disgustingly infected PC, (written from his Mac cool.gif )

-builderboy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users