Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.luder.a


  • Please log in to reply
5 replies to this topic

#1 Lifeseeker

Lifeseeker

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 10 April 2007 - 03:59 PM

Ewido found the above infection. Browser's slow, cpu usage goes wild, what's up? I have a few ideas, but I'm not doing anything drastic till I get some pro advice. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 4:24:18 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirect...c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Hijacker Target
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase2213.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128023764093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:11 PM

Posted 13 April 2007 - 12:23 PM

Hi Lifeseeker,

Welcome to Bleeping Computer. :thumbsup:

What file was detected as the Luder worm? This virus is a file infector and will infect many executable files so if you really have it, it would have shown dozens of files as infected.

However, if that is the case, then I am shocked that your AVGFree did not detect it. (Not to mention the online scanners you used.) This is a virus and really more in the area of AVG than of its sister program (Ewido/AVG Antispyware).

For a writeup on this bug, take a look here. Note the description. It infects all .exe and .scr files.

If you only got one file identified, then that Ewido detection is probably a false positive, see This topic at Wilders Security forum for details.

Please update your Ewido to the latest definitions and scan again, it should not be detected. If it still is, take advantage of the Wilders forum to call it to their attention. As you can see, Karl and other members of the Ewido team monitor that forum and respond to users input.

Let me know what the situation is.

Dave

#3 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 13 April 2007 - 07:02 PM

Thanks for the response Dave. I think you are right in that it looks like a false positive. Here's Ewido's report:

ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: Worm.Luder.a
Path: C:\Program Files\eMule\LinkCreator.exe
Risk: High


But I didn't like the looks of these HTJ findings;
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O11 - Options group: [INTERNATIONAL] International*
Because I didn't understand them. I also noticed a few others that said "(file missing)". Do you see anything I should be concerned about?

Thanks again,
Life

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:11 PM

Posted 13 April 2007 - 07:43 PM

Hi again,

The two lines that say "file missing" are these:

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


This is a bug in HijackThis. The files are there, but HJT can't find them because of the way the path is written. Notice the %windir% instead of C:\Windows at the beginning.

Here is a link that explains what ctfmon.exe is. Basically an optional program to enable you to input non-standard characters (e.g. from other alphabets) in Office documents. Apparently your MS office was installed with this option or perhaps the feature was added later. When that was done, the Windows International support may have been added as well. Here's a link to Microsoft's web page on this feature.

HTH,

Dave

#5 Lifeseeker

Lifeseeker
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 14 April 2007 - 05:55 AM

Hey Dave. That sets my mind at ease. Many sincere thanks for helping me out. :thumbsup:

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:11 PM

Posted 14 April 2007 - 07:32 AM

Hey Lifeseeker,

Glad to help. :thumbsup:

You mentioned CPU usage running wild, I'm not sure what you mean by that. Spikes in CPU usage are normal anytime the computer is doing some work. But continuous high usage is only normal if you are performing a task like rendering a video file.

If you're still having problems with slowdowns, you should read this excellent tutorial by Quietman7. It has links and references to guide you through just about every aspect of diagnosing a slowdown problem. About the only thing I can add to it is this quick check of CPU and memory resources:

Press -- to open Task Manager, then click on the Processes tab. Place a check next to Show processes from all users. Scroll down and see if any of the processes is running at a high percentage of CPU usage. On a normal system at idle the System Idle Process should show about 98 percent, meaning nothing else is using the CPU. The next columns to the right, memory usage and peak memory usage, may also show something out of line if one process is using a large amount of memory. If you see anything showing high CPU usage or high Memory usage, make a note of it.

Now, click the Performance tab. The key numbers here are in the Commit Charge box -- The Total and Peak figures; and in the Physical Memory box, the Total figure. Make a note of these three numbers. I would like to see them, but I can tell you what I'm looking for: basically, any time the Commit Charge exceeds the total physical memory, Windows is going to have to constantly swap data back and forth between the hard drive and the RAM chips. This is known as thrashing . So, the rule of thumb is, if your Peak Commit Charge is greater than your total Physical memory, your either need to (1) install more RAM or (2) reduce your commit charge by trimming down the number of running processes (which means programs and also optional Windows components).


Quietman7's tutorial refers you to the BC Startup List which can guide you through trimming down your system.

If you have a shortage of RAM and want to add more, you can post a question at the BC hardware forum. Those folks can help you determine what type of memory you need for your machine.

If you have noticed a problem with CPU usage, here's a bit I wrote for another user:

I'm going to refer you to an excellent tutorial about service hosting, it also includes instructions for downloading a great tool for exploring your system.

http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchost.exe-process/

Please read this tutorial carefully. Download Process Explorer according to the instructions and run it while you follow the tutorial. Be sure to expand the tree fully so you can see the CPU usage of each process. If the only things running on your machine are your browser (for reading the tutorial) and Process Explorer, then most of the time, except for momentary spikes when the program does something, System Idle Process should be showing about 95 to 98 percent. If you see that one of your svchost.exe instances has high CPU usage, even with the system at idle, then you should explore that process by viewing its properties as the tutorial explains. In addition, there's another trick you can use to get a copy of the services running under that process.

In the program taskbar, click View. Then select Lower Pane View, and choose DLLs. Then press -L to show the lower pane. Now, a request: please widen the columns in that lower pane so that all the words show in each column. That will make the file easier to read. Also please note which process was highlighted when the file was saved, the highlight will not show in the file. Now click File on the taskbar, then Save As, and save the file (svchost.exe.txt) to your desktop.

If by any chance none of the instances of svchost.exe is the culprit, then scroll through the list until you find the process responsible. It might be a program (listed under Explorer in the lower part of the tree), programs are processes too. Whatever it is, highlight it and then save the file.

Post a copy of that file to your next reply here. Also answer my questions, and tell me what the PID of that Svchost.exe is (or the name of the process if it is not svchost.exe), and whether you had any trouble with carrying out my instructions. Also tell me (should have asked earlier) whether the slowdown coincided with any change to your computer. New software, a new piece of equipment, a Windows update, anything.


Please let me know how your computer is running, and if you want to pursue the slowdown issue, just post whatever information you feel is relevant based on your investigations.

Good luck,

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users