Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trouble removing Vundo Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 Scout0704

Scout0704

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 31 December 2008 - 04:58 PM

Hello,

I have been struggling with the Vundo malware (at least that I think) for the past week. I have read many tips on this site and tried most of them. Today, I was going to try your instructions for ComboFix. But I could not disable McAfee. When I try to open McAfee, I get an "security message": "Your current settings do not allow this file to be downloaded". I also get this message when I try to download exe files (using Firefox). After I click OK on the security message (two messages), the McAfee window opens, but without any information (completely blank). After the second attempt to disable, ComboFix gave a warning, then continued to run. But it hung-up, with a message that a file could not be found.

My original problem started with pop-ups (telling me that I am infected) in Firefox. I have cleaned up much of my temp files using CCcleaner. I have removed all old versions of Java. I no longer see the pop-ups, but I still have difficultly opening McAfee and downloading files. When I download files, I get the message: "This download has been blocked by your security zone software -- bleepingcomputer.com".

My basic problem is a dll (loaded as c:\windows\system32\zayitala.dll). So far, I have tried (both in "normal" mode and safe mode (as admin)):
1. using Spybot
2. using AdAware
3. SpySweeper
4. Malwarebyte Anti-Malware
5. Deleting the registry entries using both Hi-Jack This and Autoruns (again, both in normal and safe mode)
6. While in safe mode, shutting down explorer.exe, then using cmd prompt deleting the dll. The file just reappears. I do notice a strange hidden file called nukajawi (no extension) that also reappears after renaming.

I am getting ready to bite the bullet and image my system; my patience is almost gone!

Any body have other suggestions or comments.

Thanks for your help.

Per suggestion, ran dds. Below is the log file.


DDS (Version 1.1.0) - NTFSx86
Run by Owner at 16:53:19.51 on 2008-12-31
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.515 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SunKistEM] "c:\program files\digital media reader\shwiconem.exe"
mRun: [SoundMan] "c:\windows\SOUNDMAN.EXE"
mRun: [ShowWnd] "c:\windows\ShowWnd.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [nForce Tray Options] "c:\windows\system32\sstray.exe" /r
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [CHotkey] "c:\windows\zHotkey.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [MBkLogOnHook] "c:\program files\mcafee\mbk\LogOnHook.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\window~1.lnk - c:\windows\explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\a9wxoeg6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint_03050024.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-19 201320]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-19 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-19 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-3-6 24652]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\webrootsecurity\SpySweeper.exe" [2008-11-12 3667312]
R2 WRConsumerService;Webroot Client Service;"c:\program files\webroot\webrootsecurity\WRConsumerService.exe" [2008-12-27 1086840]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-19 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-19 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-19 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-19 40488]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2006-8-3 96256]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\google\google desktop search\GoogleDesktop.exe" [2006-12-18 29744]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-19 33832]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-11-28 394192]

=============== Created Last 30 ================

2008-12-31 12:58 <DIR> --d----- C:\cmdcons
2008-12-31 12:53 <DIR> --d----- C:\ComboFix
2008-12-31 12:53 389,120 a------- c:\windows\system32\CF4974.exe
2008-12-31 12:53 161,792 a------- c:\windows\SWREG.exe
2008-12-31 12:53 98,816 a------- c:\windows\sed.exe
2008-12-31 12:52 389,120 a------- c:\windows\system32\CF4807.exe
2008-12-31 12:52 389,120 a------- c:\windows\system32\CF4817.exe
2008-12-29 21:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-29 21:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 21:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 20:54 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2008-12-29 20:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-29 20:23 5,342 a------- c:\windows\system32\Config.MPF
2008-12-29 20:20 2,148 a------- c:\windows\system32\wpa.dbl
2008-12-29 20:17 1,744 a---h--- c:\windows\system32\nukajawi
2008-12-28 15:47 <DIR> --d----- C:\VundoFix Backups
2008-12-27 20:25 1,553,272 a------- c:\windows\WRSetup.dll
2008-12-27 20:25 <DIR> --d----- c:\program files\Webroot
2008-12-27 20:25 <DIR> --d----- c:\docume~1\owner\applic~1\Webroot
2008-12-27 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot

==================== Find3M ====================

2008-11-12 16:02 170,608 a------- c:\windows\system32\drivers\ssidrv.sys
2008-11-12 16:02 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 16:02 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-19 19:15 23 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2008-09-18 18:18 78,928 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2005-03-07 22:06 334 ac------ c:\docume~1\owner\applic~1\wklnhst.dat
2007-11-26 18:04 61 ---sh--- c:\windows\cnerolf.dat
2008-09-06 15:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat
2007-12-03 22:24 313,632 ac-sh--- c:\windows\system32\drivers\fidbox.dat
2007-12-03 22:24 127,264 ac-sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 16:54:59.93 ===============

Again, thanks for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 AM

Posted 10 January 2009 - 07:03 PM

Hello and welcome to Bleeping Computer my name is BHowett and I will be helping you get sorted.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Thanks and again sorry for the delay.

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#3 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 AM

Posted 16 January 2009 - 10:33 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users