Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Madang.C


  • This topic is locked This topic is locked
2 replies to this topic

#1 vertigoelectric

vertigoelectric

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 03 July 2010 - 01:46 AM

I have a virus that infects every exe file it can find on my computer (I have four internal hard drives). It is detected as Madang.C along with a few other names that I do not remember at this moment. Malwarebytes doesn't find it. AVG and Avast find report each infected exe as a threat (literally hundreds) and does not clean or repair. The only option is to delete them. That is not an option for me. Some of those exe files are irreplaceable.

As you may assume, I am extremely frustrated and very angry. This virus is giving me problems I don't know how to get out of. If it has truly infected every exe on my hard drives and they cannot be repaired, then I will lose quite a bit of data.

I followed the steps for posting here, and I've got the DDS log as well as the attached text file. However, when GMER finished scanning and I clicked "Save", I would just get an hourglass and the program would not respond. I waited for quite some time for it to do something, but nothing. Thus, I couldn't get that log file.

The virus seems to call itself "Serverx.exe" in the Windows\system32 folder. I've managed to delete the file and replace it with a fake "Serverx.exe" file that I created and then I locked that fake file with PC Security so that it cannot be overwritten OR accessed by anything. So far, that part is working. Serverx.exe doesn't seem to be able to recreate itself because it cannot overwrite the fake. Now I need help fixing all of my exe files.

Here is the content of DDS.txt:

CODE
DDS (Ver_10-03-17.01) - NTFSx86  
Run by vertigo at 18:58:28.03 on Fri 07/02/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1236 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shield\shieldtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
svchost.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Serv-U\ServUDaemon.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Shield\shdserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Shield\shieldclnt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\Serverx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\!! SYSTEM DATA !!\User Data\Desktop\anti-malware\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Serverx] c:\windows\system32\Serverx.exe
mRun: [shield] c:\program files\shield\shieldtray.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\vertigo\startm~1\programs\startup\hypers~1.lnk - c:\program files\hypersnap 6\HprSnap6.exe
StartupFolder: c:\docume~1\vertigo\startm~1\programs\startup\ultramon.lnk - c:\docume~1\vertigo\applic~1\microsoft\installer\{e67ff1a2-23c1-4102-84e9-42115f77ad32}\IcoUltraMon.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: netlock.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\hmelyofflabs\vhtoolkit\Skype4COM.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: c:\windows\system32\rserver30\newtstop.dll,wbsys.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vertigo\applic~1\mozilla\firefox\profiles\6fg1l0tj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\vertigo\application data\mozilla\firefox\profiles\6fg1l0tj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\vertigo\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\vertigo\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Shdbus;Shdbus;c:\windows\system32\drivers\Shdbus.sys [2010-3-7 7360]
R0 Shield;Shield;c:\windows\system32\drivers\Shield.sys [2010-3-7 105408]
R0 Shieldf;Shieldf;c:\windows\system32\drivers\Shieldf.sys [2010-3-7 22976]
R0 Shieldm;Shieldm;c:\windows\system32\drivers\Shieldm.sys [2010-3-7 30528]
R0 WINSEC;WINSEC;c:\windows\system32\drivers\winsec.sys [2010-3-8 20592]
R1 cloverm;cloverm;c:\windows\system32\drivers\cloverm.sys [2010-3-7 477568]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2008-4-24 45848]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2008-4-24 1238344]
R2 Serv-U;Serv-U FTP Server;c:\program files\serv-u\ServUDaemon.exe [2010-5-12 897024]
R2 ShieldClientService;Shield Client Service;c:\program files\shield\ShieldClnt.exe [2010-3-7 45056]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2010-5-12 1590216]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-5-12 10688]
R3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2010-6-14 155264]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-3-7 84682]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S3 GarenaPEngine;GarenaPEngine;c:\docume~1\vertigo\locals~1\temp\KTI881.tmp [2010-5-26 25616]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-5-9 42752]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2010-07-03 01:34:40    9418    --sha-r-    c:\windows\system32\Serverx.exe
2010-07-03 00:56:51    0    d-----w-    c:\program files\Unlocker
2010-07-02 22:32:05    0    d-----w-    c:\windows\pss
2010-07-02 22:29:50    54156    ---ha-w-    c:\windows\QTFont.qfn
2010-07-02 22:29:50    1409    ----a-w-    c:\windows\QTFont.for
2010-06-29 00:04:42    86016    ----a-w-    c:\windows\unvise32qt.exe
2010-06-29 00:04:16    0    d-----w-    c:\windows\system32\QuickTime
2010-06-28 22:50:55    0    d-----w-    c:\program files\Toolkit3
2010-06-28 11:30:34    283099    ----a-w-    c:\documents and settings\vertigo\savegame1
2010-06-28 11:29:05    283467    ----a-w-    c:\documents and settings\vertigo\savegame
2010-06-27 06:09:27    0    ---ha-w-    c:\windows\SwSys2.bmp
2010-06-27 06:09:27    0    ---ha-w-    c:\windows\SwSys1.bmp
2010-06-27 06:05:28    0    d-----w-    c:\program files\Game_Maker7
2010-06-16 14:58:26    0    d-----w-    c:\docume~1\vertigo\applic~1\OpenOffice.org
2010-06-16 14:54:40    0    d-----w-    c:\program files\JRE
2010-06-16 14:54:33    0    d-----w-    c:\program files\OpenOffice.org 3
2010-06-15 05:03:57    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2010-06-14 08:14:24    26560    ----a-w-    c:\windows\system32\drivers\nuvaud2.sys
2010-06-14 08:14:02    80896    ----a-w-    c:\windows\system32\NUVision.ax
2010-06-14 08:14:02    62976    ----a-w-    c:\windows\system32\pclepixl.dll
2010-06-14 08:14:02    61440    ----a-w-    c:\windows\system32\pclepim1.dll
2010-06-14 08:14:02    46592    ----a-w-    c:\windows\system32\vdrcodec.dll
2010-06-14 08:14:02    155264    ----a-w-    c:\windows\system32\drivers\nuvvid2.sys
2010-06-14 08:09:37    0    d-----w-    c:\program files\Pinnacle
2010-06-14 07:32:45    0    d-----w-    c:\docume~1\vertigo\applic~1\.purple
2010-06-14 07:31:35    0    d-----w-    c:\program files\Pidgin
2010-06-14 06:51:40    0    d-----w-    c:\program files\HmelyoffLabs
2010-06-14 06:46:38    0    d-----w-    c:\windows\system32\appmgmt

==================== Find3M  ====================

2010-07-03 01:28:50    0    ----a-w-    c:\windows\system32\drivers\lvuvc.hs
2010-07-03 01:28:47    0    ----a-w-    c:\windows\system32\drivers\logiflt.iad
2010-05-27 00:53:42    94209    ----a-w-    c:\windows\system32\Paint.exe
2010-05-12 17:21:16    20672    ----a-w-    c:\windows\system32\mv2.dll
2010-05-12 17:21:16    10688    ----a-w-    c:\windows\system32\drivers\mv2.sys
2010-05-07 04:31:48    4096    ----a-w-    c:\windows\d3dx.dat
2010-04-30 20:45:34    411368    ----a-w-    c:\windows\system32\deployJava1.dll

============= FINISH: 18:58:37.83 ===============


BC AdBot (Login to Remove)

 


#2 vertigoelectric

vertigoelectric
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 03 July 2010 - 10:18 PM

I don't see an option for deleting this post.

I am replying to say that I went ahead and let AVAST delete all of the infected EXEs and I am taking the loss. It's not the end of the world, as I do have a March 6 backup for some of it.

Thanks anyway.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:35 AM

Posted 04 July 2010 - 03:31 AM

Since this issue is resolved, I am closing this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users