Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection - Partial Cleansing with Removal Tools


  • This topic is locked This topic is locked
2 replies to this topic

#1 Lady Macbeth

Lady Macbeth

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 10 March 2009 - 07:14 AM

I have used the following tools in an attempt to remove a Vundo virus:
  • Spybot Search & Destroy
  • HijackThis
  • Malwarebytes
  • Microsoft Anti-malware Tool (called OneCare?)
  • VundoFix
  • VirtumundoBeGone
The above order is the order in which I ran the tools. The Microsoft tool aborted with a generic error. I did not attempt it again.

Spybot was unable to remove all of the files. HijackThis removed them, but they reappeared. Malwarebytes, VundoFix and VirtumundoBeGone indicated the virus has been cleaned.

I attempted to delete "AppInit_DLLs: c:\windows\system32\falukovo.dll" in the registry, but it reappeared.

I also attempted to run ComboFix, but I was unable to stop ZoneAlarm from running in the background. So I installed the software, but I did not run it.


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by work at 7:58:52.42 on Tue 03/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2010.1535 [GMT -4:00]

AV: ZoneAlarm Anti-virus Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Anti-virus Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Software\BleepingComputerDDSTool\dds.scr
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {4fea8808-339e-4afe-9c72-8cedab84b9b2} - c:\windows\system32\jimekaju.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SansaDispatch] c:\documents and settings\work\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [<NO NAME>]
uRun: [Shadow] c:\program files\newtech infosystems\nti shadow\Shadow.exe --minimize
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [hukogejuli] Rundll32.exe "c:\windows\system32\jisopisi.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox

video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth

software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop

messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: westlaw.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223099964859
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop

messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: c:\windows\system32\falukovo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ACGina c:\windows\system32\falukovo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\work\applic~1\mozilla\firefox\profiles\vxhypwae.default\
FF - prefs.js: browser.startup.homepage -

hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-5-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-4 353680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-27 243856]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-9-27 57408]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-9-27 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-9-27 4224]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-11-13 148496]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-9-27 4442]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe

[2008-5-14 520192]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-9-27 480640]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S4 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-8-14 102400]
S4 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-8-15 1664248]
S4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business

contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
S4 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-8-15 102400]
S4 mrtRate;mrtRate; [x]
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10

29178224]
S4 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-9-27 94208]
S4 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-15 1120752]
S4 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe -->

c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S4 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9

253952]

=============== Created Last 30 ================

2009-03-09 18:47 2,713 ---sh--- c:\windows\system32\vuboduje.dll
2009-03-09 18:46 10,240 a------- c:\windows\instsp1.exe
2009-03-09 18:46 100,352 a--sh--- c:\windows\system32\laraletu.dll
2009-03-09 18:46 2,713 ---sh--- c:\windows\system32\hukovefo.dll
2009-03-09 16:06 <DIR> --d----- C:\VundoFix Backups
2009-03-09 10:37 <DIR> --d----- c:\docume~1\work\applic~1\Malwarebytes
2009-03-09 10:37 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 10:37 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 10:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-09 10:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-09 08:58 <DIR> --d----- c:\program files\Trend Micro
2009-03-09 06:43 123,392 a---h--- c:\windows\system32\xxglaf.dll
2009-03-08 18:43 123,392 a--sh--- c:\windows\system32\jphwpc.dll
2009-03-08 09:42 <DIR> --d----- C:\ComboFix
2009-03-08 07:43 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-08 07:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-08 06:43 123,392 a--sh--- c:\windows\system32\nvvkkd.dll
2009-03-07 08:22 123,392 a--sh--- c:\windows\system32\lrasnu.dll
2009-03-06 20:22 123,392 a--sh--- c:\windows\system32\wkjqzi.dll
2009-03-06 20:10 <DIR> --d----- c:\program files\iMesh Applications
2009-03-06 09:51 36 a--shr-- C:\.uid_xxx
2009-03-06 09:48 <DIR> --d----- c:\documents and settings\work\NTI-Shadow
2009-03-06 09:39 <DIR> --d----- c:\program files\NewTech Infosystems
2009-03-06 09:38 1,024 ----hr-- c:\windows\system32\NTSHDW3.dll
2009-02-25 18:13 <DIR> a-d----- c:\program files\Firaxis Games
2009-02-25 11:02 <DIR> a-d----- c:\docume~1\work\applic~1\SanDisk
2009-02-19 17:52 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\2DBoy
2009-02-19 17:50 <DIR> a-d----- c:\program files\Brighter Minds Media
2009-02-19 16:29 297 a------- c:\windows\cdplayer.ini

==================== Find3M ====================

2009-03-09 20:45 193,740,320 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-09 20:45 2,561,780 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-09 15:24 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-09 06:43 123,392 a--sh--- c:\windows\system32\wazuloro.dll
2009-03-08 18:43 100,864 -------- c:\windows\system32\pemejilo.dll
2009-03-08 18:43 123,392 a--sh--- c:\windows\system32\dakovebi.dll
2009-03-08 18:43 105,984 a--sh--- c:\windows\system32\molizili.dll
2009-03-07 08:23 107,008 a--sh--- c:\windows\system32\mufewulu.dll
2009-03-07 08:22 102,400 -------- c:\windows\system32\minasuvo.dll
2009-03-06 20:22 107,008 a--sh--- c:\windows\system32\herugife.dll
2009-03-06 20:22 100,352 -------- c:\windows\system32\lodivime.dll
2009-03-06 20:22 123,392 a--sh--- c:\windows\system32\titodopu.dll
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-24 09:27 107,888 -------- c:\windows\system32\CmdLineExt.dll
2008-12-19 05:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 01:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 01:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 07:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-10-16 11:10 60,744 -------- c:\documents and settings\work\g2mdlhlpx.exe
0000-00-00 00:00 1,024 a--sh--- c:\windows\system32\dabaliru.dll
0000-00-00 00:00 2,048 a--sh--- c:\windows\system32\nusuzefa.dll
2008-09-27 18:32 32,768 -c-sh--- c:\windows\system32\config\systemprofile\local settings\application

data\microsoft\feeds cache\index.dat
2008-10-04 01:09 32,768 -c-sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008100320081004\index.dat

============= FINISH: 7:59:18.07 ===============

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 18 March 2009 - 10:12 PM

Hello Lady Macbeth,


I attempted to delete "AppInit_DLLs: c:\windows\system32\falukovo.dll" in the registry, but it reappeared.


It is a bad idea to try to fix this yourself. :thumbup2: Unless you understand the registry, you can make matters so bad that your computer will not boot.


I also attempted to run ComboFix, but I was unable to stop ZoneAlarm from running in the background. So I installed the software, but I did not run it

.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read  Combofix's Disclaimer.



Time to use a different tool.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Change the File Age to 90 days.
  • In the Root Kit Search section click on Yes.
  • Under Additional Scans click the EXTRAS button
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/index.php?showtopic=209944&st=0&gopid=1183406&#entry1183406
  • Click Browse and select the OTScanIT2 log
  • Under the comments section, say that SifuMike asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.

Edited by SifuMike, 18 March 2009 - 10:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 28 March 2009 - 10:50 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users