Solved Virus/Spyware/Malware Problem

Status
Not open for further replies.

rrw1217

Posts: 28   +0
Hello all,

I recently had a problem removing Mcafee from my system, which some members of this board were able to help me troubleshoot. In the interim between removing Mcafee and downloading AVG, I seem to have picked up some kind of Trojan Horse virus(es) and maybe some other problems. AVG indicates as such, isolating some questionable files that it cannot remove. Upon turning on the computer, I immediately receive error messages that the computer cannot find a couple of .dll files. I perused the C:\Windows\System32 folder and found an absurd number of .dll files, many of which I cannot remove, some I'm not sure whether or not I should.

I followed the 8-step instructions laid out in the beginning of this forum, below are the logs generated by mbam, gmer and DDS (they looked pretty long to me, so thought maybe I should just attach, but I had trouble attaching and posting, so am just going to copy/paste. Per suggestion, each log is posted in a separate entry below. Any advice for future steps that you can provide would be greatly appreciated. Thank you.
 
I'm not sure about MBAM log, but DDS and GMER logs are incomplete.
Please, repost.
Post one log per reply.
 
Updated Logs

Hi, sorry - I was trying to attach the files (either via this site or just to an email I could access at work), the computer just seems to freeze up whenever I try and attach. I will try to copy each log in its entirety in its own post. On viewing, I can't really see any parts that are missing, but then, I am clearly and obviously not an expert. (FYI, I did run each process in its entirety - I did not abort, nor did the computer seem to abort - ran through until prompted to save the report files).

Thanks for your assistance.
 
GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 18:18:19
Windows 5.1.2600 Service Pack 2
Running: jen1i2hn.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\ufddipod.sys


---- Kernel code sections - GMER 1.0.15 ----

? alrdnrs.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF849F394]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0079000A
.text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0078000C
.text C:\WINDOWS\System32\svchost.exe[1032] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 021D000A
.text C:\WINDOWS\System32\svchost.exe[1032] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 021C000A
.text C:\WINDOWS\Explorer.EXE[2196] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\WINDOWS\Explorer.EXE[2196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\Explorer.EXE[2196] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\WINDOWS\system32\wuauclt.exe[2244] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\wuauclt.exe[2244] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\wuauclt.exe[2244] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003C000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2484] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FB000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2484] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007F000C
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] kernel32.dll!FindResourceW 7C80BBDE 5 Bytes JMP 0042AD00 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] kernel32.dll!FindResourceA 7C80BE99 5 Bytes JMP 0042ACC0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] USER32.dll!LoadStringW 77D49C36 5 Bytes JMP 0042AEE0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] USER32.dll!LoadMenuW 77D51B2C 5 Bytes JMP 0042AE80 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] USER32.dll!CreateDialogParamA 77D65EA0 5 Bytes JMP 0042AD40 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] USER32.dll!CreateDialogParamW 77D6629F 5 Bytes JMP 0042ADB0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] USER32.dll!LoadStringA 77D6EC98 5 Bytes JMP 0042AF90 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2944] USER32.dll!LoadMenuA 77D7F7A3 5 Bytes JMP 0042AE20 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 822E4D6B

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
MBAM Log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/18/2010 5:01:44 PM
mbam-log-2010-04-18 (17-01-44).txt

Scan type: Quick scan
Objects scanned: 120059
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 7
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kakosifub (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myoicrgr (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljgefgsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khifggsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khifggsys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\SYSTEM32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\SYSTEM32\dewulale.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fedalajo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kihipapo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kikububu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\popiwoba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rokonuge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rulufutu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rurirovi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zuragiwu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
 
DDS Log

Note - I also have a file which DDS instructs not to attach, but only to zip and post if requested (if needed). Thanks again, hope these are complete:
 
No, DDS log has two parts and even 1st part is incomplete.
You can try to attach both files.
 
I apologize, I simply don't seem to be able to attach files (either here or to an email program to send out and access elsewhere). So I'm trying to copy/paste the info from both files I saved from DDS. Don't know what else to do if this isn't adequate. Thanks again.
 
OK, so far, I got Attach.txt file.

I still need main DDS file...
 

Attachments

  • ( uploadMB.com ) Attach_DDS.txt
    10.2 KB · Views: 0
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
 
Logs of both programs attached

Hello, and thank you so much for all of your work and assistance thus far. Attached are both logs, here are a couple of observations when I was running the programs, which may or may not be of value to you:

- When I clicked the first 'Here' link for Combofix, I got an error msg asserting that version of combofix was only for Windows XP or 7, which I found troubling, since I do have Windows XP. Clicked the 2nd link and it ran without this error msg.

- ComboFix detected the presence of McAfee... I spent a good week trying to remove McAfee from my computer - it does not show up in any registry keys, any program files folders, or in the list to change or remove programs under Set Program Access and Defaults. I think the log file indicates its disabled - hope it did not interfere with the scan, I just don't know where to go to remove any further McAfee remnants.

- I reinstalled AVG before running Hijack this - hope that it not problematic - it did not seem as if it were specifically mentioned to keep anti-virus off for that program.
 

Attachments

  • Combofix_log.txt
    20.6 KB · Views: 2
  • hijackthis_log.txt
    9.1 KB · Views: 0
You did well :)


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::

Folder::
c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
c:\documents and settings\Elizabeth\Application Data\McAfee.com Personal Firewall


Driver::

Registry::

RegLockDel::

SecCenter::
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
{94894B63-8C7F-4050-BDA4-813CA00DA3E8}


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 
Updated logs

Per instructions above, here are the new combofix log and the new hijackthis log.
 

Attachments

  • New_Combofix_log.txt
    18.9 KB · Views: 2
  • New_hijackthis_log.txt
    9 KB · Views: 0
It looks good :)
How is computer doing?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=========================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
Latest

The computer seems to be behaving much better now, thank you - things are moving quicker, no difficulties/freezing when attaching items, no sudden termination of IE or Firefox lately. The Kaspersky did take a long time to run (2.5 hours), but it didn't seem to freeze at all, I was hoping it was just a very lengthy program?

I think did screw something up, though... after the Kaspersky anti-virus scan ran, I clicked save changes on the report button, and then the report screen went black - didn't give me an option to change the file type, or an option for where to save it or what to name it. I've been searching for it in my folders for a while, can't seem to locate it. Does anyone have an idea what it might default to be named?

For what its worth, the Kaspersky scan ran 2.5 hours and isolated 11 threats and 58 infected items. The hijackthis log is attached. Sorry the Kaspersky is not as well - any suggestions, or do I need to rerun (or would that even be helpful)?
 

Attachments

  • Latest_hijackthis_log.txt
    8.9 KB · Views: 0
One other thing

After running the Temp File Cleaner, the computer did reboot automatically, and I received an error message after the computer rebooted, something along the lines of "trying to run a .dll as an app". Wanted to mention in case it was pertinent - I guess these are the things that slip your mind after a two-and-a-half hour scan :)
 
I'm glad to see your computer doing better :)

Please run a BitDefender Online Scan

  • Disable your antivirus program.
  • Click Start Scanner button.
  • Click Start scan button
  • Allow browser plug-in to be installed when prompted.
  • Click I Agree to agree to the EULA.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on View log.
  • Notepad will open with scan results.
  • Save the report to your desktop and post its content in your next reply.

Post fresh HijackThis log as well.
 
Bit Defender/Hijack This logs

Ran and posted as requested. How are we doing? :)
 

Attachments

  • bitdefender_Report_2010-04-26_19-36-40.txt
    84.1 KB · Views: 2
  • hijackthis_04_26_10.txt
    9 KB · Views: 1
Status
Not open for further replies.
Back