Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Photo

Vundo Infection

Started by Procrustes , Jul 30 2010 01:14 AM

  • This topic is locked This topic is locked
3 replies to this topic

#1 Procrustes

Procrustes

  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:08:19 PM

Posted 30 July 2010 - 01:14 AM

My computer is infected with a nasty virus which I believe to be Vundo (that is what Malware Bytes calls it when it detects it).

The symptoms include
-Google Redirect
-Making it so that some programs wont run (I double click them and they execute for a second before terminating)

I have run Malware Bytes in safe mode (after renaming it to .bat to bypass the virus) but the infection came back. I also tried downloading Vundo Fix and Virtumuno Begone and after running them in safe mode, both of them didn't detect the infection at all. I tried running R-kill before running them to no effect.

Finally I tried running combofix. I disabled my ad aware virus protection but I couldn't disable windows defender as the virus wont let me open it (and I cant change the name to .bat as I don't have the required permissions). Combofix did its thing and it seemed to delete alot of the suspicious .dlls from the registry, but when my computer booted back up, all of the files on my desktop (even simple .txt files) wouldn't open, giving the error message "this file cannot open as it is tied to a registry item marked for deletion". I then restarted my computer and everything worked fine again but the virus was back too (perhaps the virus had infected files which were deleted causing me to be unable to execute files.... only to have the files restored when the virus restored itself?)

In any case, the following is my combofix log. Any help would be greatly appreciated!

ComboFix 10-07-29.01 - Chris 2010/07/29 20:10:47.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3581.2501 [GMT -4:00]
Running from: c:\users\Chris\Desktop\ComFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\~.inf
c:\windows\system32\sstusq.dll
c:\windows\system32\urrpno.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.

2010-07-30 00:19 . 2010-07-30 00:22 -------- d-----w- c:\users\Chris\AppData\Local\temp
2010-07-30 00:19 . 2010-07-30 00:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-30 00:19 . 2010-07-30 00:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-30 00:19 . 2010-07-30 00:19 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-07-27 23:51 . 2010-07-28 00:10 -------- d-----w- c:\program files\StarCraft II
2010-07-27 19:49 . 2010-07-27 19:49 -------- d-----w- C:\Starcraft
2010-07-25 16:37 . 2010-07-25 16:37 -------- d-----w- C:\VundoFix Backups
2010-07-25 05:44 . 2010-07-25 05:44 77312 ---ha-w- c:\windows\system32\fccbaw.dll
2010-07-25 00:32 . 2010-07-25 05:44 -------- d-----w- C:\comfix
2010-07-23 20:23 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-23 20:23 . 2010-07-23 20:23 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-22 22:32 . 2010-07-22 22:32 720896 ----a-w- c:\windows\iun6002.exe
2010-07-22 22:17 . 2010-07-22 22:20 -------- d-----w- c:\users\Chris\AppData\Roaming\Trillian
2010-07-22 07:19 . 2010-07-22 07:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-07-22 07:02 . 2009-09-25 01:49 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2010-07-22 07:01 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-07-22 07:01 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-07-22 07:01 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-07-21 05:43 . 2010-07-21 05:43 -------- d-----w- c:\windows\system32\ca-ES
2010-07-21 05:43 . 2010-07-21 05:43 -------- d-----w- c:\windows\system32\eu-ES
2010-07-21 05:43 . 2010-07-21 05:43 -------- d-----w- c:\windows\system32\vi-VN
2010-07-17 01:53 . 2010-07-28 00:06 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-17 01:53 . 2010-07-18 00:01 -------- d-----w- c:\program files\StarCraft II Beta
2010-07-17 01:53 . 2010-07-17 01:57 -------- d-----w- c:\users\Chris\AppData\Local\Blizzard Entertainment
2010-07-17 01:52 . 2010-07-17 01:52 -------- d-----w- c:\programdata\Blizzard
2010-07-17 01:13 . 2010-07-28 00:06 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-16 19:37 . 2010-07-30 00:23 71168 ---ha-w- c:\windows\system32\urrpno.dll
2010-07-13 04:38 . 2010-07-13 04:38 -------- d-----w- c:\users\Chris\AppData\Local\Apps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 00:20 . 2009-11-04 03:46 96109 ----a-w- c:\programdata\nvModes.dat
2010-07-29 23:19 . 2008-07-22 03:40 -------- d-----w- c:\program files\Trillian
2010-07-29 06:44 . 2010-02-15 01:11 -------- d-----w- c:\program files\MPlayer for Windows
2010-07-25 22:19 . 2010-07-25 22:19 5806297 ----a-w- c:\windows\system32\~.tmp
2010-07-25 15:24 . 2010-03-18 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 23:41 . 2009-12-13 17:51 -------- d-----w- c:\program files\pdfforge Toolbar
2010-07-23 20:27 . 2009-05-07 00:12 -------- d-----w- c:\program files\Plants vs. Zombies
2010-07-23 00:45 . 2008-08-24 02:24 -------- d-----w- c:\users\Chris\AppData\Roaming\LimeWire
2010-07-22 22:13 . 2008-07-15 12:28 -------- d-----w- c:\program files\Google
2010-07-22 07:18 . 2010-07-22 07:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-07-21 05:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-21 05:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-07-21 05:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-07-21 05:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-21 05:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-07-21 05:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-07-21 05:43 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-07-16 03:01 . 2010-06-22 15:06 -------- d-----w- c:\users\Chris\AppData\Roaming\acccore
2010-07-14 10:02 . 2008-07-22 05:38 -------- d-----w- c:\programdata\Microsoft Help
2010-07-12 08:55 . 2009-04-18 15:33 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-26 07:01 . 2008-07-22 05:40 -------- d-----w- c:\program files\Microsoft.NET
2010-06-22 03:45 . 2010-06-22 03:45 -------- d-----w- c:\programdata\AIM
2010-06-22 03:45 . 2010-06-22 03:45 -------- d-----w- c:\program files\AIM
2010-06-22 03:45 . 2010-06-22 03:45 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-22 03:45 . 2010-06-22 03:45 -------- d-----w- c:\program files\Common Files\AOL
2010-06-12 07:26 . 2008-08-12 14:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-12 03:04 . 2010-06-12 03:04 -------- d-----w- c:\users\Chris\AppData\Roaming\BSW
2010-06-12 03:04 . 2010-06-12 03:04 -------- d-----w- c:\program files\BSW
2010-05-26 17:06 . 2010-06-11 22:51 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 22:51 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-02 19:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 19:15 . 2010-06-11 22:51 834048 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 18:37 . 2010-06-11 22:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-01 14:13 . 2010-06-11 22:50 2037248 ----a-w- c:\windows\system32\win32k.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-07-15 12:25 . 2008-07-15 12:25 76 --sh--r- c:\windows\CT4CET.bin
2008-07-15 15:01 . 2008-07-15 15:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\BitLord\Downloads\Starcraft + BroodWar + The Last Update Patch 1161 +  CDKey\CDKey\Starcraft CD-Key Generator .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
2009-07-31 07:00 698880 ----a-w- c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B922D405-6D13-4A2B-AE89-08A030DA4402}"= "c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll" [2009-07-31 698880]

[HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
"gedaywsys"="urrpno.dll" [2010-07-30 71168]
"effeffdrv"="efdayv.dll" [2010-07-30 76288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-12-03 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-19 3444736]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-28 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-07-12 864112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-08-19 92704]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-07-29 1024512]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" [2010-02-06 254376]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"qomkllsys"="urrpno.dll" [2010-07-30 71168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]
"fcyxwvdrv"="efdayv.dll" [2010-07-30 76288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"bywwttsys"="urrpno.dll" [2010-07-30 71168]

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-1-13 25214]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-15 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-15 12:35 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 urrpno.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ca,3c,fd,90,98,28,cb,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9cc42eb8cdf0;Google ?????? ???? (gupdate1c9cc42eb8cdf0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 133104]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-11-08 717296]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 14464]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 22:54]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080715
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\cwq7wstk.default\
FF - prefs.js: browser.startup.homepage - hxxp://gigazine.net/
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\users\Chris\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\cwq7wstk.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\cwq7wstk.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
AddRemove-Ad-Aware - c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\System32\urrpno.dll
c:\windows\system32\efdayv.dll

- - - - - - - > 'Explorer.exe'(2708)
c:\windows\system32\efdayv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WerCon.exe
.
**************************************************************************
.
Completion time: 2010-07-29 20:34:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-30 00:34
ComboFix2.txt 2010-07-25 05:44
ComboFix3.txt 2010-07-24 23:55

Pre-Run: 60,603,846,656 bytes free
Post-Run: 60,401,360,896 bytes free

- - End Of File - - F477DDB5C80F21EAFCE5D6F3998EEE71

BC AdBot (Login to Remove)

 

#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:19 PM

Posted 07 August 2010 - 04:14 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:19 PM

Posted 10 August 2010 - 11:52 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:19 PM

Posted 14 August 2010 - 01:21 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.

With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·