Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Vurtumonde infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 cytolysis

cytolysis

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 January 2009 - 01:00 PM

I am running Windows XP, and I cannot turn on Windows Automatic Updates. When I try to turn it on manually, I get an Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. I think this means that I am infected with Vundo or virtumonde. I am also experiencing strange blank windows opening in Mozilla Firefox. Thank you very much for any help!

EDIT: I just now ran a VundoFix scan, and it did not find anything.

DDS (Ver_09-01-18.01) - FAT32x86
Run by kovaka at 12:50:21.79 on Tue 01/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.122 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kitco\Kcast\Kcast.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
SVCHOST.EXE
C:\DOCUME~1\kovaka\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\kovaka\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://global.acer.com
mDefault_Page_URL = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {16d2971c-f3a3-45e6-8761-c07ef0599d28} - c:\windows\system32\pmnnKDwV.dll
BHO: {b25e6bc2-0854-a1e8-acb4-bfafb556f716}: {617f655b-fafb-4bca-8e1a-45802cb6e52b} - c:\windows\system32\lhopxx.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\iifgDvwt.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {8c787015-4770-42e1-9813-7e8dcae99347} - c:\windows\system32\wvUnOFWn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.1.1119.1736\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [KITCO] c:\program files\kitco\kcast\Kcast
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [LaunchApp] Alaunch
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 1
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [4b6304b5] rundll32.exe "c:\windows\system32\ykanikeu.dll",b
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: {4A3504AD-831E-48ED-86B5-AB08C05F13CC} = 12.127.16.67,12.127.17.71
Notify: igfxcui - igfxdev.dll
Notify: iifgDvwt - iifgDvwt.dll
AppInit_DLLs: lhopxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\iifgDvwt.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnnKDwV

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kovaka\applic~1\mozilla\firefox\profiles\vywuq4vu.default\
FF - plugin: c:\documents and settings\kovaka\application data\mozilla\firefox\profiles\vywuq4vu.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-2-4 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-2-4 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-2-4 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-2-4 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-2-4 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-2-4 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-2-4 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-2-4 4960]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-6-19 1097728]

=============== Created Last 30 ================

2009-01-20 12:42 <DIR> --d----- c:\program files\Trend Micro
2009-01-20 12:42 812,344 a------- c:\docume~1\kovaka\applic~1\HJTInstall.exe
2009-01-20 12:22 927,744 a------- c:\windows\system32\rn.tmp
2009-01-19 19:29 1,406,503 ---sh--- c:\windows\system32\uekinaky.ini
2009-01-19 19:29 72,704 a------- c:\windows\system32\ykanikeu.dll
2009-01-19 19:26 1,406,503 ---sh--- c:\windows\system32\libajjsw.ini
2009-01-19 19:23 40,960 a------- c:\windows\system32\akikixgg.dll
2009-01-18 16:02 120 ---sh--- c:\windows\system32\pbxxeial.ini
2009-01-18 16:02 72,704 a------- c:\windows\system32\laiexxbp.dll
2009-01-18 16:00 129,024 a------- c:\windows\system32\lhopxx.dll
2009-01-18 16:00 129,024 a------- c:\windows\system32\uixjwonk.dll
2009-01-18 15:57 40,960 a------- c:\windows\system32\eilyeghi.dll
2009-01-17 12:06 129,024 a------- c:\windows\system32\pprtvu.dll
2009-01-17 12:06 129,024 a------- c:\windows\system32\npwshrdd.dll
2009-01-17 12:03 120 ---sh--- c:\windows\system32\dcpwnfgs.ini
2009-01-17 12:00 40,960 a------- c:\windows\system32\xfqneied.dll
2009-01-16 12:04 129,024 a------- c:\windows\system32\ncmycyke.dll
2009-01-16 12:04 129,024 a------- c:\windows\system32\levyxc.dll
2009-01-16 12:01 1,370,402 ---sh--- c:\windows\system32\ulcdcraq.ini
2009-01-16 12:01 72,704 a------- c:\windows\system32\qarcdclu.dll
2009-01-16 11:58 40,960 a------- c:\windows\system32\kndhuxhv.dll
2009-01-16 09:38 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-01-16 09:38 14,848 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-01-15 12:00 129,024 a------- c:\windows\system32\ipxark.dll
2009-01-15 12:00 129,024 a------- c:\windows\system32\xijbflaf.dll
2009-01-15 11:57 1,370,402 ---sh--- c:\windows\system32\cvtnhcwl.ini
2009-01-15 11:54 40,960 a------- c:\windows\system32\cqoghuyu.dll
2009-01-14 22:57 <DIR> --d----- c:\program files\Audacity
2009-01-14 11:55 129,024 a------- c:\windows\system32\gizybl.dll
2009-01-14 11:55 129,024 a------- c:\windows\system32\ofnqyxho.dll
2009-01-14 11:53 1,366,582 ---sh--- c:\windows\system32\gjymikdx.ini
2009-01-14 11:53 72,704 a------- c:\windows\system32\xdkimyjg.dll
2009-01-13 11:40 129,024 a------- c:\windows\system32\pnpmns.dll
2009-01-13 11:40 129,024 a------- c:\windows\system32\oplmsope.dll
2009-01-13 11:38 1,348,813 ---sh--- c:\windows\system32\oxojqtym.ini
2009-01-13 11:37 1,690,783 a--sh--- c:\windows\system32\VwDKnnmp.ini2
2009-01-13 11:37 1,690,783 a--sh--- c:\windows\system32\VwDKnnmp.ini
2009-01-13 11:37 302,592 a------- c:\windows\system32\pmnnKDwV.dll
2009-01-12 14:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-11 15:36 1,256,329 ---sh--- c:\windows\system32\ayoqvpad.ini
2009-01-10 20:12 671,321 a--sh--- c:\windows\system32\nWFOnUvw.ini2
2009-01-10 20:12 671,321 a--sh--- c:\windows\system32\nWFOnUvw.ini
2009-01-10 20:07 <DIR> --d----- c:\docume~1\kovaka\applic~1\GetModule
2009-01-10 20:06 36,352 a------- c:\windows\system32\iifgDvwt.dll
2009-01-10 20:06 198,661 a------- c:\windows\system32\wpv211231601797.cpx

==================== Find3M ====================

2009-01-11 20:12 290 a------- c:\program files\Shortcut to Program Files.lnk
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-04-11 16:21 1,283,912 a------- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe

============= FINISH: 12:52:00.00 ===============

Attached Files


Edited by cytolysis, 20 January 2009 - 05:49 PM.


BC AdBot (Login to Remove)

 


#2 cytolysis

cytolysis
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 22 January 2009 - 11:13 AM

Looks like my AVG Free Edition finally found whatever was causing this. It seems to be fixed.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:41 AM

Posted 24 January 2009 - 09:19 AM

Thanks for informing us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users