Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan Virus/ popups, blue desktop background


  • This topic is locked This topic is locked
2 replies to this topic

#1 mk1224

mk1224

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 10 January 2009 - 01:10 PM

I downloaded what i thought was an java update on a site for a new online security camera service and soon after I started getting pop ups to sites which are associated with the Vundo virus. (the same day I was also downloading some adobe brushes and freebies which may have also been the cause). My desktop background also turned blue. I also got this using firefox.I have already backed up all my documents and deleted them off this laptop, and I changed all my passwords and removed them from my browser history. I have tried many different free removal programs, mbam, Malwarebytes, mcAfee virtal tecnician, fixVundo, vundofix, and some of them will find theinfected files when they scan, and they will quarantine and remove the files but they always come back when i start up(the last reappearing two are HTregisty keys). I am reluctant to do a full reformat because i have so many programs like adobe and macromedia and its seems like a hassle. I have read that once this Trojan infects your computer there will always be a backdoor to your system making it insecure? also i am on a wireless network, can the Trojan infect other computers on the network through the internet connection? any help would be really appreciated. thankyou!

DDS (Ver_09-01-07.01) - NTFSx86
Run by melkorka-newprofile at 12:48:22.45 on Sat 01/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1335 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\melkorka-newprofile\Application Data\cogad\cogad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\melkorka-newprofile\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {D5BF4552-94F1-42BD-F434-3604812C807D} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cogad] "c:\documents and settings\melkorka-newprofile\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [lrijh8s73jhbfgfd] c:\docume~1\melkor~1\locals~1\temp\winloggn.exe
uRun: [SfKg6wIP] c:\documents and settings\melkorka-newprofile\application data\microsoft\windows\fmtgev.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: noryfh.dll lusqdg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\melkor~1\applic~1\mozilla\firefox\profiles\7q7uv6nm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: c:\documents and settings\melkorka-newprofile\application data\mozilla\firefox\profiles\7q7uv6nm.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-15 201320]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-15 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-15 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-15 40488]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-15 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-15 144704]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-15 33832]

=============== Created Last 30 ================

2009-01-10 00:56 <DIR> --d----- c:\docume~1\melkor~1\applic~1\McAfee
2009-01-09 20:17 <DIR> --d----- C:\VundoFix Backups
2009-01-09 13:49 <DIR> --d----- c:\windows\murw
2009-01-09 13:49 <DIR> --d----- c:\program files\common files\murw
2009-01-09 12:35 133,120 a------- c:\windows\system32\lusqdg.dll
2009-01-09 12:35 133,120 a------- c:\windows\system32\arhecour.dll
2009-01-09 12:25 <DIR> --d----- c:\docume~1\melkor~1\applic~1\Malwarebytes
2009-01-09 12:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 12:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 12:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-09 12:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 17:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-08 17:29 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-08 12:30 <DIR> --d----- c:\docume~1\melkor~1\applic~1\cogad
2008-12-15 12:54 <DIR> --d----- c:\program files\iPod
2008-12-15 12:54 <DIR> --d----- c:\program files\iTunes
2008-12-15 12:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-15 12:52 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-23 16:11 16,384 a------- c:\windows\MSIMGSIZ.DAT
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-21 21:51 78,535 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-16 15:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 15:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 15:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 15:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 15:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 15:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 15:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-04-01 11:21 209,600 ac------ c:\docume~1\melkor~1\applic~1\GDIPFONTCACHEV1.DAT
2007-12-25 19:57 42,392 ac------ c:\docume~1\melkor~1\applic~1\wklnhst.dat
2007-10-02 18:23 19 ac------ c:\program files\Answer.txt
2007-01-29 08:38 88,576 ac--h--- c:\docume~1\melkor~1\applic~1\rbap550.dll
2006-06-21 08:40 8 ---shr-- c:\windows\system32\2B6537CA08.sys
2006-06-21 08:40 2,828 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:49:28.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mk1224

mk1224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 22 January 2009 - 09:44 AM

I actually got help on another forum for this issue. I couldn't find out how to delete the post so I am just going to leave it up
, thankyou -mk1224

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:21 PM

Posted 22 January 2009 - 06:06 PM

Hello mk1224,

Thank you for letting us know. Since this issue seems to be resolved, this thread will now be closed. Our apologies for not getting to your topic, but we are swamped with logs.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users