Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected iwth Trojan.VUNDO


  • This topic is locked This topic is locked
2 replies to this topic

#1 Tom Terrific

Tom Terrific

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 23 February 2009 - 12:03 AM

Tried to update windows, with no luck got an error page 0x8DDD0018. Went through the stated procedure to rectify the problem again with no success, ended up getting error 1058 when trying to run Automatic Updates in Services. Background Intelligent Transfer Service runs in Manual. when Startup type is changed to Automatic from Disabled and try to Start recieve " Services" Could not start the Automatic Updates service on Local Computer Error 1058: The service cannot be started either because it is disabled or because it has no enabled devices associated with it.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tom Rooney at 20:16:59.90 on 22/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2007 [GMT -8:00]

AV: Shaw Secure 8.00 *On-access scanning enabled* (Updated)
FW: Shaw Secure 8.00 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Samsung\FrameManager\sam_service.exe
C:\Program Files\Samsung\FrameManager\sam_controller.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Samsung\FrameManager\FrameManager.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
D:\Program Files\ioback.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\IoctlSvc.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Dantz\Retrospect\retrorun.exe
D:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tom Rooney\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {317cfa7e-a8a5-67ab-b754-231020e945a2}: {2a549e02-0132-457b-ba76-5a8ae7afc713} - c:\windows\system32\ulxlnx.dll
BHO: {3d934b40-792d-43b2-bdac-5b160039a4af} - c:\windows\system32\yayvVNhi.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcYrQgD.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [FrameManager] c:\program files\samsung\framemanager\FrameManager.exe
mRun: [f887807a] rundll32.exe "c:\windows\system32\bjamblbc.dll",b
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ionbac~1.lnk - c:\windows\installer\{586c47a4-6917-4332-b33f-eec8d6841df7}\NewShortcut2_586C47A469174332B33FEEC8D6841DF7.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office\OSA9.EXE
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - d:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: ddcYrQgD - ddcYrQgD.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\516\G2AWinLogon.dll
AppInit_DLLs: ulxlnx.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcYrQgD.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tomroo~1\applic~1\mozilla\firefox\profiles\s6pq4k4p.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\videolan\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2008-11-14 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2007-11-18 79904]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\shaw secure\hips\drivers\fshs.sys [2008-11-14 66720]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-16 169584]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2007-11-18 215648]
R2 FrameManager Service;FrameManager Service;c:\program files\samsung\framemanager\sam_service.exe [2008-12-25 188416]
R2 NProtectService;Norton UnErase Protection;d:\progra~1\norton~1\norton~1\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-20 1119888]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-16 192112]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2007-11-18 84096]
R3 SODI;SODI;c:\windows\system32\drivers\sam_miniport.sys [2008-12-25 11392]
S0 mvjxtntj;mvjxtntj;c:\windows\system32\drivers\aeyskcym.sys []
S3 miniusb;FrameManager Display Adapter;c:\windows\system32\drivers\sam_miniusb.sys [2008-12-25 9728]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2007-11-18 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2007-11-18 25184]

=============== Created Last 30 ================

2009-02-22 15:57 1,636,373 ---sh--- c:\windows\system32\cblbmajb.ini
2009-02-22 15:57 72,704 a------- c:\windows\system32\bjamblbc.dll
2009-02-22 15:54 125,440 a------- c:\windows\system32\ulxlnx.dll
2009-02-22 15:54 125,440 a------- c:\windows\system32\kdcabbvq.dll
2009-02-22 14:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Retrospect
2009-02-22 01:01 <DIR> --d----- c:\docume~1\tomroo~1\applic~1\Malwarebytes
2009-02-22 01:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-22 01:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 01:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-21 20:31 <DIR> --d----- c:\windows\pss
2009-02-21 18:49 <DIR> --d----- c:\windows\system32\CatRoot2
2009-02-21 15:55 72,704 a------- c:\windows\system32\sahqnxnc.dll
2009-02-21 15:53 123,392 a------- c:\windows\system32\ryxatn.dll
2009-02-21 15:53 123,392 a------- c:\windows\system32\cfdwnhxc.dll
2009-02-21 15:52 4,103 a--sh--- c:\windows\system32\ihNVvyay.ini2
2009-02-21 15:52 2,204 a------- c:\windows\mvjxtntj
2009-02-21 15:52 4,103 a--sh--- c:\windows\system32\ihNVvyay.ini
2009-02-21 15:45 47,616 a------- c:\windows\system32\awttqqQi.dll
2009-02-21 15:45 47,616 a------- c:\windows\system32\vtUkjHAR.dll
2009-02-21 15:45 47,616 a------- c:\windows\system32\ssqQkICR.dll
2009-02-21 15:45 47,616 a------- c:\windows\system32\wvUnNgEW.dll
2009-02-21 15:45 47,616 a------- c:\windows\system32\hgGabCSi.dll
2009-02-21 15:45 47,616 a------- c:\windows\system32\efcCvTNf.dll
2009-02-21 15:45 47,616 a------- c:\windows\system32\ddcYrQgD.dll
2009-02-18 15:32 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-18 15:31 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-18 15:31 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-18 15:31 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-18 15:31 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-18 15:31 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-18 15:31 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-18 15:31 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-18 15:31 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-01-29 10:48 33,408 a------- c:\windows\system32\drivers\fsbts.sys
2008-10-07 14:54 61,224 a------- c:\documents and settings\tom rooney\GoToAssistDownloadHelper.exe
2008-04-16 20:27 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 20:18:39.42 ===============


Malwarebytes' Anti-Malware 1.34
Database version: 1792
Windows 5.1.2600 Service Pack 2

22/02/2009 12:34:39 PM
mbam-log-2009-02-22 (12-34-23).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 137640
Time elapsed: 17 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ddcYrQgD.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d934b40-792d-43b2-bdac-5b160039a4af} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3d934b40-792d-43b2-bdac-5b160039a4af} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcyrqgd (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayvVNhi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ihNVvyay.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ihNVvyay.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ddcYrQgD.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awttqqQi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\cfdwnhxc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\efcCvTNf.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hgGabCSi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ryxatn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\sahqnxnc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ssqQkICR.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUkjHAR.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wvUnNgEW.dll (Trojan.Vundo) -> No action taken.

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 AM

Posted 23 February 2009 - 06:04 AM

Hi,

I see you have used MalwareBytes, but no actions were taken.
You're supposed to let MalwareBytes delete what it found. So I suggest you run the MalwareBytes scan again.
Then reboot.

After reboot, post the new MalwareBytes log together with a new DDS log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 AM

Posted 06 March 2009 - 07:12 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users