Jump to content

Malware successfully cleaned


Recommended Posts

Thanks for this great product. just had my first virus, and with Malwarebytes, Spybot search and Destroy, Windows Defender, Hijackthis and Avast Home,

I cleared it out. I'm unsure what it was, although SS&D gave me some names. One virus or more than one?

Also, how did it get in? A malicious script on the web somewhere?

Here's the MWB scan and SS&D screen shot. Any thoughts on this? If it was from a script, what can I do to catch these

malicious scripts before they infect the machine? Any advice and/or theories about this appreciated.

Malwarebytes' Anti-Malware 1.31

Database version: 1460

Windows 5.1.2600 Service Pack 3

12/4/2008 6:07:10 PM

mbam-log-2008-12-04 (18-07-10).txt

Scan type: Quick Scan

Objects scanned: 53999

Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{de387ec9-658b-4777-b6fd-54966b10ecf3} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{de387ec9-658b-4777-b6fd-54966b10ecf3} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

sadgm0.jpg

Link to post
Share on other sites

  • Staff

xpre/xrun this is what you got nailed with .

These are what kicked the whole thing off and are dropped from web exploits and are a result of not having all of your web based software and/or windows updated .

Currently outdated flash , java and adobe acrobat are all major problems for web surfers . If you go surfing with outdated versions of any of these installed all it takes is a single visit to a compromised site (no clicking required) to get infected . While there are sites that are obviously more commonly infected than others (adult and cracks/keygen) there is a huge issue with perfectly safe and normal sites being hacked into and compromised adding these same exploits .

It would be a good idea for you to use add/remove programs to remove all instances of flash , java and adobe and replace them with the most current ones .

Adobe and flash are easy to find on google but the full installer for Java is not as easy . Go to this page :

http://java.sun.com/javase/downloads/index.jsp

Java SE Runtime Environment (JRE) 6 Update 11 <- this is the download you want from that page .

Link to post
Share on other sites

xpre/xrun this is what you got nailed with .

These are what kicked the whole thing off and are dropped from web exploits and are a result of not having all of your web based software and/or windows updated .

Currently outdated flash , java and adobe acrobat are all major problems for web surfers . If you go surfing with outdated versions of any of these installed all it takes is a single visit to a compromised site (no clicking required) to get infected . While there are sites that are obviously more commonly infected than others (adult and cracks/keygen) there is a huge issue with perfectly safe and normal sites being hacked into and compromised adding these same exploits .

It would be a good idea for you to use add/remove programs to remove all instances of flash , java and adobe and replace them with the most current ones .

Adobe and flash are easy to find on google but the full installer for Java is not as easy . Go to this page :

http://java.sun.com/javase/downloads/index.jsp

Java SE Runtime Environment (JRE) 6 Update 11 <- this is the download you want from that page .

Thanks for the info. My Sun Java was version 6 update 6, so quite old. I uninstalled. Flash version 10,

so that's OK, Acrobat 8.x1.1 to 81.1.3.

I thought that my machine was clean, but I see what look like a bogus RUNDLL32 in Task Manager. It has a strange

file name as revealed by Sysinternals process explorer:

I'm doing another run of SS&D - Can you advise me how to proceed?

Thanks - Dave

procexpiq0.jpg

Link to post
Share on other sites

  • Staff

That is without question vundo , Please update MBAM and try another scan and remove cycle , make sure to only use the quick scan as vundo actually exploits long scan times to create reboot backups .

Post the log here and grab a HijackThis log as well (there is info on this site on how to do that if you never have in the past) .

I am on my way out but will follow up with this tonight .

Link to post
Share on other sites

That is without question vundo , Please update MBAM and try another scan and remove cycle , make sure to only use the quick scan as vundo actually exploits long scan times to create reboot backups .

Post the log here and grab a HijackThis log as well (there is info on this site on how to do that if you never have in the past) .

I am on my way out but will follow up with this tonight .

MBAM updated, but didn't find anything this time. I ran the hijackthis log, and here it is. I didn't notice anything, but I'm

not an expert. Is this Vundo using some kind of rootkit to hide it's existence? Certainly a file search failed to find

efcYPijb.dll. I have run the immunize function of Spybot S&D. It placed hundreds of known-bad sites in the HOSTS file

pointed to by 127.0.0.1.

The machine I'm using is triple boot, this (infected) XP, another XP and Vista. I don't think the other two are infected.

Can we use them to look at this partition - does it offer any benefit at all?

Should I get off this one and use one of the others for now? Here's the log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:01:22 PM, on 12/5/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\Program Files\Windows Defender\MsMpEng.exe

F:\WINDOWS\System32\svchost.exe

F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

F:\Program Files\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\SOUNDMAN.EXE

F:\Program Files\Windows Defender\MSASCui.exe

F:\WINDOWS\system32\RUNDLL32.EXE

F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\Program Files\UPHClean\uphclean.exe

F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

F:\Program Files\Alwil Software\Avast4\ashWebSv.exe

F:\WINDOWS\system32\rundll32.exe

F:\WINDOWS\System32\svchost.exe

F:\Program Files\Mozilla Firefox 3\firefox.exe

C:\sysinternals_utilities\ProcessExplorer11.04\procexp.exe

F:\WINDOWS\system32\NOTEPAD.EXE

J:\appz38\hijackthis2.02\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:8080;http=localhost:8080;https=localhost:8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195112645687

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210101168515

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe

--

End of file - 5458 bytes

Link to post
Share on other sites

This Rundll32 in question is visible in the Task Manager about 30 minutes after booting up.

I've killed the process with no obvious affects to the system, and after a little while it returns.

At this point , Avast, Spybot S&D, Windows Defender and SuperAntiSpyware find nothing during

memory/registry/disk scans.

Not sure what to do now - it's existence (with the starnge file name) seems suspicious,

bit nothing is being detected now. Here's the most recent HJT log. There's a new entry for SuperAntiSpyware,

and I uninstalled Sisoft Sandra.

Thanks for any further idea's.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:39:55 PM, on 12/6/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\Program Files\Windows Defender\MsMpEng.exe

F:\WINDOWS\System32\svchost.exe

F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

F:\Program Files\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\SOUNDMAN.EXE

F:\Program Files\Windows Defender\MSASCui.exe

F:\WINDOWS\system32\RUNDLL32.EXE

F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

F:\Program Files\Java\jre6\bin\jusched.exe

F:\Program Files\Java\jre6\bin\jqs.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\Program Files\UPHClean\uphclean.exe

F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

F:\Program Files\Alwil Software\Avast4\ashWebSv.exe

I:\program files\Agent\agent.exe

F:\WINDOWS\system32\wuauclt.exe

J:\appz38\hijackthis2.02\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:8080;http=localhost:8080;https=localhost:8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195112645687

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210101168515

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

--

End of file - 6109 bytes

Link to post
Share on other sites

  • 6 months later...
This Rundll32 in question is visible in the Task Manager about 30 minutes after booting up.

I've killed the process with no obvious affects to the system, and after a little while it returns.

At this point , Avast, Spybot S&D, Windows Defender and SuperAntiSpyware find nothing during

memory/registry/disk scans.

This mysterious rundll was kicked off by the task scheduler (available in control panel/scheduled tasks)

It was harmless enough by this point - it's target had already been "cleaned".

I guess the moral is, don't forget the task scheduler as a source of where things get kicked off!

Dave

Link to post
Share on other sites

  • Root Admin

If you're satisfied with the results that's fine, but if you'd like further analysis and possible removal of other left over items please follow the directions below and as soon as someone is available they will assist you further.

Thanks.

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  • NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.