Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo


  • Please log in to reply
5 replies to this topic

#1 tkumala

tkumala

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 04 January 2009 - 12:09 AM

Hi all,

First of all, thanks in advance for reading. Double thanks for helping me. I have a laptop from work that I've also been using to surf the internet. Unfortunately, now I got a Vundo virus. I've ran F-Secure online scanner (disinfected, but it came back), SuperAntiSpyware (cleaned, but it came back), Vundofix (did not detect anything). The unfortunate thing is that I do not have full admin right to the laptop. Not sure why I was able to install SuperAntiSpyware, but it would not let me install Spyware Doctor or MalwareBytes' Anti Malware.

The laptop has McAfee enterprise installed, which needless to say, was unable to prevent the virus to install itself.

Please help. DDS.txt is attached.

Thanks
TK

***********DDS content**********************************************************************************************


DDS (Version 1.1.0) - NTFSx86
Run by tkumala at 20:54:17.78 on Sat 01/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1438 [GMT -8:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tkumala\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intra.sc.vishay.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
BHO: {6dc70e57-8933-4acf-9ce6-930e1114a432} - c:\tmp\byXNhiGw.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSServer] rundll32.exe c:\tmp\yayyVmKE.dll,#1
uRun: [cmds] rundll32.exe c:\tmp\byXNhiGw.dll,c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [acd6cc90] rundll32.exe "c:\windows\system32\dylritrx.dll",b
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tkumala\applic~1\mozilla\firefox\profiles\75804o7l.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R3 BW2NDIS5;BW2NDIS5 NDIS Protocol Driver;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-2 17536]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-15 72904]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-15 34344]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-15 177672]
R4 AM.EventService;Access Manager Event Service;c:\program files\remote services\AM.utEventServer.exe [2006-6-29 28672]
R4 AM.ScriptService;Access Manager Script Service;c:\program files\remote services\AM.blScriptEngine.exe [2006-6-29 28672]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-12-15 103744]
R4 MCIMonitor;MCI Monitor Service;c:\program files\remote services\wengine\wmonitor.exe [2006-1-24 69696]
R4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]
R4 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]
S3 AM.InstallService;Access Manager Install Service;c:\program files\remote services\AM.InstallService.exe [2006-6-29 81920]

=============== Created Last 30 ================

2009-01-03 20:45 16,384 a------t c:\temp\Perflib_Perfdata_734.dat
2009-01-03 19:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-03 19:34 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-03 16:33 1,307,356 ---sh--- c:\windows\system32\xrtirlyd.ini
2009-01-03 16:21 <DIR> --d----- C:\VundoFix Backups
2009-01-03 15:47 129,024 a------- c:\windows\system32\bvvimjim.dll
2009-01-03 15:47 72,704 a------- c:\windows\system32\dylritrx.dll
2008-12-26 12:13 <DIR> --d----- c:\temp\F-Secure
2008-12-26 12:06 <DIR> --d----- C:\fsaua.data
2008-12-26 11:45 <DIR> --d----- c:\program files\Trend Micro
2008-12-25 20:31 <DIR> --d----- c:\docume~1\tkumala\applic~1\GetModule
2008-12-25 20:31 <DIR> --d----- C:\Quarantine
2008-12-19 12:27 <DIR> --d----- c:\temp\DTS docs
2008-12-17 10:04 4,764 a------- c:\windows\system32\CcmFramework.ini
2008-12-17 10:04 621 a------- c:\windows\system32\CcmFramework.h
2008-12-17 10:03 <DIR> --d----- c:\windows\ms
2008-12-16 11:24 220 a------- c:\windows\hpbafd.ini
2008-12-16 10:29 <DIR> --d-h--- c:\windows\system32\dwrcssft
2008-12-16 10:29 233,472 a------- c:\windows\system32\DWRCSET.DLL
2008-12-16 10:29 61,440 a------- c:\windows\system32\DWRCSh32.dll
2008-12-16 10:29 234,496 a------- c:\windows\system32\DWRCS.EXE
2008-12-16 10:29 78,848 a------- c:\windows\system32\DWRCST.EXE
2008-12-16 10:29 53,248 a------- c:\windows\system32\DWRCK.DLL
2008-12-16 10:16 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2008-12-16 10:11 <DIR> --d----- c:\windows\system32\CCM
2008-12-16 10:11 <DIR> --d----- c:\program files\Windows Imaging
2008-12-16 10:11 <DIR> -cd-h--- c:\windows\$UninstallRDC$
2008-12-16 10:11 <DIR> --d----- c:\windows\system32\bits
2008-12-16 10:10 7,168 -------- c:\windows\system32\bitsprx4.dll
2008-12-16 10:10 <DIR> --d----- c:\windows\system32\ccmsetup
2008-12-15 15:28 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-15 15:20 <DIR> --d----- c:\program files\Yahoo!
2008-12-15 14:42 177,672 a------- c:\windows\system32\drivers\mfehidk.sys
2008-12-15 14:42 72,904 a------- c:\windows\system32\drivers\mfeavfk.sys
2008-12-15 14:42 64,488 a------- c:\windows\system32\drivers\mfeapfk.sys
2008-12-15 14:42 52,136 a------- c:\windows\system32\drivers\mfetdik.sys
2008-12-15 14:42 34,344 a------- c:\windows\system32\drivers\mfebopk.sys
2008-12-15 14:42 <DIR> --d----- c:\program files\common files\McAfee
2008-12-15 14:33 <DIR> --d----- c:\program files\Reflection
2008-12-15 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Reflection
2008-12-15 14:27 <DIR> --d----- c:\docume~1\tkumala\applic~1\Juniper Networks
2008-12-15 14:27 <DIR> --d----- c:\documents and settings\tkumala\WINDOWS
2008-12-15 14:27 <DIR> --d----- c:\documents and settings\tkumala\SapWorkDir
2008-12-15 14:27 <DIR> --d----- c:\documents and settings\tkumala

==================== Find3M ====================

2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 02:37 659,456 a------- c:\windows\system32\wininet.dll

============= FINISH: 20:55:03.89 ===============

********************************************************************************************************************

Attached Files

  • Attached File  DDS.txt   9.58KB   2 downloads


BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:09:50 PM

Posted 05 January 2009 - 01:24 AM

Hello ,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.




You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.

Stay calm and everything will be just alright.

I will be analyzing your log. I will get back to you with instructions after it is approved.

Please post attach.txt located at your desktop. By the way, is this a company laptop? or yours?

With Regards,
mas_pogi

Edited by mas_pogi, 05 January 2009 - 01:51 AM.


#3 tkumala

tkumala
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 January 2009 - 06:34 AM

Hello Mas_Pogi,

thanks for helping me with this. Attach.txt is attached.

This is a company laptop, and thus I have rather restricted access to what I can do. I will talk to the IT today to provide me with admin access just in case I need to do so.

Thanks again for your help.

tkumala

Attached Files



#4 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:09:50 PM

Posted 07 January 2009 - 03:26 AM

hi.

Welcome to BC

Sorry for the delay. Forum is quite busy now.

Do you recognize this application?

c:\windows\system32\DWRCST.exe which belongs to DameWare Mini Remote Control program

Let me know in your next reply.


We need to log in as a user with administrator rights, without administrator rights we cannot kill the infection.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Mark

#5 tkumala

tkumala
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 09 January 2009 - 03:49 PM

Hello Mark,

I had lost hope and asked our IT to go ahead and reformat the whole thing. Most importantly, I did not want the whole company network to get the same virus or spyware. Dame Ware is a remote login tool that our IT uses.

Anyways, thanks again for your help.

tkumala

#6 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:09:50 PM

Posted 09 January 2009 - 06:49 PM

hi.

No problem.

I'll close these thread now.

Surf safe.

Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users