PDA

View Full Version : babylon/rundll infection


Hailey
2010-09-06, 23:53
Hello!
I have the babylon/rundll infection (I believe anyway) I pretty much cant download any antispyware .. or download much of anything.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Angel at 16:46:31.15 on Mon 09/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.3082.18.1014.357 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\AVG\AVG9\avgchsvx.exe
C:\Archivos de programa\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Archivos de programa\AVG\AVG9\avgcsrvx.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Archivos de programa\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\Explorer.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Launch Manager\dsiwmis.exe
C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\eMachines\eMachines Updater\UpdaterService.exe
C:\Archivos de programa\AVG\AVG9\avgnsx.exe
C:\Archivos de programa\AVG\AVG9\avgemc.exe
C:\Archivos de programa\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Archivos de programa\Launch Manager\LManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\snuvcdsm.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\WINDOW~4\MESSEN~1\msnmsgr.exe
C:\WINDOWS\system32\dumprep.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\Skype\Plugin Manager\skypePM.exe
C:\Archivos de programa\Windows Live\Contacts\wlcomm.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jucheck.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Angel\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.babylon.com/home?AF=14542
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0c0a&m=em250&r=0xph07103425l0484zum5r45k26234
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0c0a&m=em250&r=0xph07103425l0484zum5r45k26234
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0c0a&m=em250&r=0xph07103425l0484zum5r45k26234
uInternet Connection Wizard,ShellNext = "c:\archivos de programa\outlook express\msimn.exe" //mailurl:mailto:janine@cherishedtrinkets.co.uk
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe rundll32.exe rrrc.yeo upptdvf
mWinlogon: Userinit=c:\windows\system32\userinit.exe
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\archiv~1\window~4\messen~1\msnmsgr.exe" /background
uRun: [MSConfig] c:\documents and settings\angel\gpinet.exe \u
uRun: [Skype] "c:\archivos de programa\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IAAnotif] c:\archivos de programa\intel\intel matrix storage manager\iaanotif.exe
mRun: [LManager] c:\archivos de programa\launch manager\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\archivos de programa\realtek\audio\drivers\AzMixerSel.exe
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "c:\archivos de programa\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [snuvcdsm] c:\windows\snuvcdsm.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\archivos de programa\itunes\iTunesHelper.exe"
mRun: [WinampAgent] "c:\archivos de programa\winamp\winampa.exe"
mRun: [Java developer Script Browse] c:\windows\jusched.exe
mRun: [AVG9_TRAY] c:\archiv~1\avg\avg9\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\angel\menini~1\progra~1\inicio\erunta~1.lnk - c:\archivos de programa\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\angel\menini~1\progra~1\inicio\limewi~1.lnk - c:\archivos de programa\limewire\LimeWire.exe
StartupFolder: c:\docume~1\angel\menini~1\progra~1\inicio\recort~1.lnk - c:\archivos de programa\microsoft office\office12\ONENOTEM.EXE
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\archivos de programa\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\archivos de programa\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 yblahahv;yblahahv;c:\windows\system32\drivers\yblahahv.sys [2010-8-11 40128]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-11 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-11 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-11 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\archivos de programa\avg\avg9\avgemc.exe [2010-8-11 921952]
R2 avg9wd;AVG Free WatchDog;c:\archivos de programa\avg\avg9\avgwdsvc.exe [2010-8-11 308136]
R2 DsiWMIService;Dritek WMI Service;c:\archivos de programa\launch manager\dsiwmis.exe [2009-11-13 107016]
R2 Updater Service;Updater Service;c:\archivos de programa\emachines\emachines updater\UpdaterService.exe [2009-11-13 240160]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-11-13 38912]
S2 GoogleUpdateBeta;Google Update Service;c:\documents and settings\networkservice\configuración local\datos de programa\google\update\googleupdatebeta.exe /svc --> c:\documents and settings\networkservice\configuración local\datos de programa\google\update\GoogleUpdateBeta.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\archivos de programa\google\update\GoogleUpdate.exe [2010-7-24 135664]
S2 iscjmzfj;iscjmzfj;c:\windows\system32\drivers\iscjmzfj.sys [2010-9-6 78848]
S2 rnsuorhb;rnsuorhb; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-13 1684736]
S3 Partner Service;Partner Service;c:\documents and settings\all users\datos de programa\partner\Partner.exe [2009-11-13 332272]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-13 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2010-09-06 21:27:57 78848 ----a-w- c:\windows\system32\drivers\iscjmzfj.sys
2010-08-18 17:49:56 0 d-----w- c:\archivos de programa\Conduit
2010-08-18 17:49:51 0 d-----w- c:\archivos de programa\Babylon
2010-08-18 17:49:22 0 d-----w- c:\archivos de programa\Media Player
2010-08-17 23:48:30 0 d-sh--w- c:\documents and settings\angel\IECompatCache
2010-08-11 18:09:49 0 d--h--w- C:\$AVG
2010-08-11 17:57:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-11 17:57:27 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-11 17:57:15 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-11 17:57:09 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-11 17:52:33 0 d-----w- c:\archivos de programa\AVG
2010-08-11 17:52:03 0 d-----w- c:\docume~1\alluse~1\datosd~1\avg9
2010-08-11 17:10:02 40128 ----a-w- c:\windows\system32\drivers\yblahahv.sys
2010-08-11 17:07:22 45568 ---h--w- c:\windows\system32\secupdat.dat
2010-08-11 17:07:22 45568 ---h--w- c:\documents and settings\angel\secupdat.dat
2010-08-10 15:35:09 0 d-----w- C:\Hotspot Shield
2010-08-10 15:34:48 0 d-----w- c:\archivos de programa\Hotspot Shield

==================== Find3M ====================

2010-08-07 05:15:36 82058 ----a-w- c:\windows\system32\perfc00A.dat
2010-08-07 05:15:36 463832 ----a-w- c:\windows\system32\perfh00A.dat
2010-07-27 08:50:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-13 14:09:15 32768 --sha-w- c:\windows\system32\config\systemprofile\configuración local\datos de programa\microsoft\feeds cache\index.dat
2010-03-17 14:15:37 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:48:03.01 ===============
oldman960
2010-09-07, 11:25
Hi Hailey, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.



LimeWire
You have LimeWire, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx (http://www.microsoft.com/windows/ie/community/columns/protection.mspx)

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm (http://www.internetworldstats.com/articles/art053.htm)

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



Go HERE (http://www.gmer.net/) to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your next reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Saffe Mode



Next
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.

Download the following file scan.txt (http://www.geekstogo.com/forum/index.php?app=core&module=attach&section=attach&attach_id=44597)to your Desktop. You may need to right click on it and select "Save"

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
Check the boxes beside LOP Check and Purity Check.
Double click inside the Custom Scan box at the bottom
A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Please post back with
GMER log
both OTL logs
Thanks
oldman960
2010-09-10, 14:59
Hi Hailey,

Fo you still need help with this?

Thanks
Cypher
2010-09-12, 20:00
This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send your helper a private message (pm). A valid, working link to the closed topic is required.