Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundoo


  • This topic is locked This topic is locked
3 replies to this topic

#1 hydronic

hydronic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 13 January 2009 - 12:03 AM

From scanning with Spyhunter I think I have Vundoo.

VundoFix does not report any files found.

My Internet Explorer window has a line of red text at the top saying "too many errors WERE found on your system. Possibly IT WAS THE RESULT of a virus attack. YOU MUST SCAN YOUR SYSTEM."

After about 2 minutes of idle time Internet Explorer jumps to a site address hxxp://real-av.org/?code=3

Microsoft Outlook is unable to download email.

I have a new icon on the taskbar. It is a white cross in a red circle, it has a tooltip attached which says "Your computer is infected! it is recommended to start spyware cleaner tool"

Thankyou for your help.


DDS (Ver_09-01-07.01) - FAT32x86
Run by Administrator at 15:44:21.32 on Tue 13/01/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.314 [GMT 11:00]


============== Running Processes ===============

C:\WIN2000\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WIN2000\system32\acs.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WIN2000\system32\hidserv.exe
C:\WIN2000\System32\nvsvc32.exe
C:\WIN2000\system32\regsvc.exe
C:\WIN2000\system32\MSTask.exe
C:\WIN2000\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WIN2000\System32\WBEM\WinMgmt.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WIN2000\Explorer.EXE
C:\WIN2000\SOUNDMAN.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\WIN2000\system32\frmwrk32.exe
C:\WIN2000\system32\internat.exe
C:\WIN2000\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Firetrust\Benign\B9.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Ontrack\PowerDesk\PDDLGHLP.EXE
C:\Program Files\Firetrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WIN2000\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\Documents and Settings\Administrator.HOME\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {49350ec7-847d-7ec9-7424-7f8fb8d44885}: {58844d8b-f8f7-4247-9ce7-d7487ce05394} - c:\win2000\system32\mgfbkz.dll
BHO: {5b64d212-f925-4df4-bcc0-b1b0d1a1f299} - c:\win2000\system32\byXOeFuT.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\win2000\system32\ddcCVNFV.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [internat.exe] internat.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\win2000\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [b9] c:\program files\firetrust\benign\B9.exe /minimize
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\win2000\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\win2000\system32\NeroCheck.exe
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [eTrustPPAP] "c:\program files\ca\etrust pestpatrol\PPActiveDetection.exe"
mRun: [CaAvTray] "c:\program files\ca\etrust vet antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\ca\etrust vet antivirus\CAVRID.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [Framework Windows] frmwrk32.exe
mRun: [0f2e7b06] rundll32.exe "c:\win2000\system32\qbqdjwlg.dll",b
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\admini~2.hom\startm~1\programs\startup\dialog~1.lnk - c:\program files\ontrack\powerdesk\PDDLGHLP.EXE
StartupFolder: c:\docume~1\admini~2.hom\startm~1\programs\startup\mailwa~1.lnk - c:\program files\firetrust\mailwasher pro\MailWasher.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn311\wlancfg5.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\win2000\system32\msjava.dll
LSP: c:\docume~1\chriss~1.hom\locals~1\temp\ntdll64.dll
LSP: c:\win2000\system32\VetRedir.dll
TCP: {2D30D527-E85D-4236-9116-C8E4304CB9E5} = 61.9.133.193,61.9.134.49
TCP: {96A8EF37-387B-42C5-ACD6-13135EEBC6D8} = 144.140.70.30,144.140.71.16
Notify: ddcCVNFV - ddcCVNFV.dll
AppInit_DLLs: mgfbkz.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\win2000\system32\ddcCVNFV.dll
LSA: Authentication Packages = msv1_0 c:\win2000\system32\byXOeFuT

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~2.hom\applic~1\mozilla\firefox\profiles\default.qm5\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\mozilla firefox\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\xpinstall.js - pref("xpinstall.manual_confirm", true);
c:\program files\mozilla firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled", true);
c:\program files\mozilla firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);
c:\program files\mozilla firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.block.target_new_window", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");
c:\program files\mozilla firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");
c:\program files\mozilla firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.clipboardtextmode", 3);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.version", "0.9");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.app.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.app.updateVersion", "");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.app.updateDescription", "");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.app.updateURL", "");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.extensions.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed.
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.extensions.count", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.disable_open_during_load", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlers
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news

============= SERVICES / DRIVERS ===============

R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R1 VET-FILT;VET File System Filter;c:\win2000\system32\drivers\Vet-Filt.sys [2004-9-5 21031]
R1 VET-REC;VET File System Recognizer;c:\win2000\system32\drivers\Vet-Rec.sys [2004-9-5 15478]
R1 VETEFILE;VET File Scan Engine;c:\win2000\system32\drivers\VetEFile.sys [2006-9-10 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\win2000\system32\drivers\VetFDDNT.sys [2004-9-5 15735]
R1 VETMONNT;VET File Monitor;c:\win2000\system32\drivers\vetmonnt.sys [2006-9-10 26787]
R3 usbhub20;USB 2.0 Root Hub Support;c:\win2000\system32\drivers\usbhub20.sys [2004-8-21 49776]
R3 VETEBOOT;VET Boot Scan Engine;c:\win2000\system32\drivers\VetEBoot.sys [2006-9-10 108360]
R3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\win2000\system32\drivers\yukonw2k.sys [2003-12-23 174464]
R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R4 ETDrv;ETDrv;c:\win2000\system32\drivers\ETDrv.sys [2004-8-21 170128]
S3 Addhid;Addhid; [x]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\win2000\system32\drivers\k600bus.sys [2005-9-4 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\win2000\system32\drivers\k600mdfl.sys [2005-9-4 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\win2000\system32\drivers\k600mdm.sys [2005-9-4 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\win2000\system32\drivers\k600mgmt.sys [2005-9-4 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\win2000\system32\drivers\k600obex.sys [2005-9-4 77072]
S3 LCcfltr;Logitech USB Filter Driver;c:\win2000\system32\drivers\LCcfltr.sys [2004-2-20 14095]
S3 mapmem_dv;mapmem_dv;\??\c:\mapmem.tmp --> c:\mapmem.tmp [?]
S4 CAISafe;CAISafe;c:\program files\ca\etrust vet antivirus\iSafe.exe [2006-9-10 259624]
S4 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2004-2-11 200771]
S4 VETMSGNT;VET Message Service;c:\program files\ca\etrust vet antivirus\VetMsg.exe [2006-9-10 202280]

=============== Created Last 30 ================

2009-01-13 14:58 16,384 a------- c:\win2000\system32\Perflib_Perfdata_620.dat
2009-01-13 14:58 410,984 a------- c:\win2000\system32\deploytk.dll
2009-01-13 14:58 73,728 a------- c:\win2000\system32\javacpl.cpl
2009-01-13 12:11 1,271,136 ---sh--- c:\win2000\system32\glwjdqbq.ini
2009-01-13 12:11 72,704 a------- c:\win2000\system32\qbqdjwlg.dll
2009-01-13 12:09 129,024 a------- c:\win2000\system32\mgfbkz.dll
2009-01-13 12:09 129,024 a------- c:\win2000\system32\qnqftdpn.dll
2009-01-13 12:08 444,917 a--sh--- c:\win2000\system32\TuFeOXyb.ini2
2009-01-13 12:08 444,917 a--sh--- c:\win2000\system32\TuFeOXyb.ini
2009-01-13 12:08 302,592 a------- c:\win2000\system32\byXOeFuT.dll
2009-01-10 20:10 <DIR> --d----- C:\VundoFix Backups
2009-01-10 19:39 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-10 18:11 1,347 a------- c:\win2000\system32\ahtn.htm
2009-01-10 18:11 4,785 a------- c:\win2000\system32\warning.gif
2009-01-10 18:11 111,616 a------- c:\win2000\system32\ntdll64.exe

==================== Find3M ====================

2008-12-10 08:52 34,816 a------- c:\win2000\system32\ddcCVNFV.dll
2008-12-07 14:11 23,552 a------- c:\win2000\system32\frmwrk32.exe
2008-10-16 14:13 1,809,944 a------- c:\win2000\system32\dllcache\wuaueng.dll
2008-10-16 14:09 92,696 a------- c:\win2000\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\win2000\system32\dllcache\wuauclt.exe
2007-03-21 17:53 300,680 -------- c:\docume~1\alluse~2.win\applic~1\arclib.dll
2005-03-29 14:37 456,384 a------- c:\win2000\inf\wpn311\WPN311.sys
2005-01-27 10:59 35,232 a------- c:\win2000\inf\wpn311\ME_INST.EXE
2005-01-27 10:59 26,112 a------- c:\win2000\inf\wpn311\install.exe
2004-08-21 17:33 21,952 ----h--- c:\program files\folder.htt
2004-08-21 17:33 271 ----h--- c:\program files\desktop.ini
1999-12-07 12:00 32,528 a------- c:\win2000\inf\wbfirdma.sys

============= FINISH: 15:44:34.34 ===============

Attached Files


Edited by miekiemoes, 13 January 2009 - 06:00 AM.
malicious link disabled


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:40 PM

Posted 14 January 2009 - 04:42 PM

Hello Hydronic and welcome to Bleeping Computer,

Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 hydronic

hydronic
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 14 January 2009 - 06:19 PM

Hi Thunder,
Thanks for your reply. I have just managed to solve the problem using MalwareBytes and the machine is running well.
Thankyou for your time.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:40 PM

Posted 15 January 2009 - 04:52 AM

Very well, Hydronic

If you're convinced that solved all of your problems ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users