Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo + posible root kit infection


  • Please log in to reply
1 reply to this topic

#1 draxe

draxe

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 21 March 2009 - 04:23 PM

I've used Super Anti spyware, Malbytes Anti-MAlware, they keep finding new infections. Windows update doesn't start, it's disabled, and tells me access denied when I try to enable it. BITS won't start either- it says "missing file", that 's it. userinit.exe in %winroot%system32 tried to go to a site to tell it I'm online - onlinenotifyq.net. userinit.exe is dated about the same time as my infection. I've seen trojan.agent, trojan.vundo, rootkit.cloaked, lots of others, I have logs from above programs if required. Thank you so much for your help!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 17:05:57.14 on Sat 03/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.847 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\ColdFusion8\runtime\bin\jrunsvc.exe
C:\ColdFusion8\runtime\bin\jrun.exe
C:\ColdFusion8\db\slserver54\bin\swagent.exe
C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
C:\ColdFusion8\db\slserver54\bin\swsoc.exe
C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\ColdFusion8\verity\k2\_nti40\bin\k2server.exe
C:\ColdFusion8\verity\k2\_nti40\bin\k2index.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\HP\hpcoretech\hpcmpmgr.exe
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
E:\WINDOWS\System32\DeltTray.exe
E:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Documents and Settings\Administrator\Desktop\apps\remark.exe
E:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = rrdproxy.rrd.com:80
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~2\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - e:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] e:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IMONTRAY] c:\program files\intel\intel® active monitor\imontray.exe
mRun: [SonicFocus] "e:\program files\sonic focus\sfigui\SFIGUI.EXE" BOOT
mRun: [SoundMax] "e:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [HP Component Manager] "e:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [CAVRID] "e:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
mRun: [M-Audio Delta Taskbar Icon] e:\windows\system32\DeltTray.exe
mRun: [cctray] "e:\program files\ca\etrust internet security suite\cctray\cctray.exe"
mRun: [SunJavaUpdateSched] "e:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] e:\windows\system32\NeroCheck.exe
mRun: [DeltTray] DeltTray.exe
mRun: [JeticoPFStartup] "e:\program files\jetico\jetico personal firewall\fwsrv.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: e:\docume~1\admini~1\startm~1\programs\startup\mybook~1.lnk - e:\documents and settings\administrator\desktop\apps\remark.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - e:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - e:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - e:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~2\SDHelper.dll
LSP: e:\windows\system32\VetRedir.dll
Trusted Zone: nielsenco.com
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} - hxxp://67.19.1.138/v4/iv4.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://e:\documents and settings\administrator\local settings\temp\ei40_\msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37928.6676388889
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/SassCln.CAB
DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} - hxxp://download.paltalk.com/download/0.x/regdload.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - e:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli e:\windows\system32\kimokiba.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\igwzftin.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?tab=mw
FF - component: e:\documents and settings\administrator\application data\mozilla\firefox\profiles\igwzftin.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: e:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: e:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: e:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: e:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: e:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {29F56448-B9FE-4E6B-9E85-5BD0650F0CCA} - e:\documents and settings\administrator\local settings\application data\{29F56448-B9FE-4E6B-9E85-5BD0650F0CCA}

============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;e:\windows\system32\drivers\ppa.sys [2003-11-25 17792]
R1 SASDIFSV;SASDIFSV;e:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;e:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 VET-FILT;VET File System Filter;e:\windows\system32\drivers\vet-filt.sys [2007-4-23 26640]
R1 VET-REC;VET File System Recognizer;e:\windows\system32\drivers\vet-rec.sys [2007-4-23 21392]
R1 VETEFILE;VET File Scan Engine;e:\windows\system32\drivers\vetefile.sys [2008-6-4 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;e:\windows\system32\drivers\vetfddnt.sys [2007-4-23 21648]
R1 VETMONNT;VET File Monitor;e:\windows\system32\drivers\vetmonnt.sys [2007-4-23 32528]
R2 CAISafe;CAISafe;e:\program files\ca\etrust ez armor\etrust ez antivirus\isafe.exe [2007-4-12 144960]
R2 ColdFusion 8 Application Server;ColdFusion 8 Application Server;c:\coldfusion8\runtime\bin\jrunsvc.exe [2007-10-28 65536]
R2 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;c:\coldfusion8\db\slserver54\bin\swagent.exe "coldfusion 8 odbc agent" --> c:\coldfusion8\db\slserver54\bin\swagent.exe ColdFusion 8 ODBC Agent [?]
R2 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;c:\coldfusion8\db\slserver54\bin\swstrtr.exe "coldfusion 8 odbc server" --> c:\coldfusion8\db\slserver54\bin\swstrtr.exe ColdFusion 8 ODBC Server [?]
R2 ColdFusion 8 Search Server;ColdFusion 8 Search Server;c:\coldfusion8\verity\k2\_nti40\bin\k2admin.exe [2007-10-28 2743056]
R2 VETMSGNT;VET Message Service;e:\program files\ca\etrust ez armor\etrust ez antivirus\vetmsg.exe [2007-4-12 243216]
R3 motubus;MOTU Audio MIDI Extension;e:\windows\system32\drivers\motubus.sys [2003-11-6 15488]
R3 SASENUM;SASENUM;e:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;e:\windows\system32\drivers\netusbxp.sys [2003-11-3 72576]
R3 VETEBOOT;VET Boot Scan Engine;e:\windows\system32\drivers\veteboot.sys [2008-6-4 108368]
S2 Ca533av;Mega DV(Video);e:\windows\system32\drivers\CA533AV.SYS [2003-12-4 515803]
S3 MotuMidi;MOTU MIDI Device;e:\windows\system32\drivers\MotuMidi.sys [2003-11-6 26752]
S3 MotuUsb;MotuUsb;e:\windows\system32\drivers\MotuUSB.sys [2003-11-6 34304]
S3 USBCamera;DSC Still Image Capture (CA533A);e:\windows\system32\drivers\Bulk533.sys [2003-12-4 11144]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;e:\windows\system32\drivers\ma101rnd.sys [2002-5-30 80000]
S3 vsdatant;vsdatant;e:\windows\system32\vsdatant.sys [2005-5-9 189792]

=============== Created Last 30 ================

2009-03-21 15:31 446 a------- e:\windows\system32\win32hlp.cnf
2009-03-19 05:16 <DIR> --d----- E:\VundoFix Backups
2009-03-18 19:16 <DIR> --d----- e:\docume~1\admini~1\applic~1\Jetico Personal Firewall
2009-03-18 19:06 <DIR> --d----- e:\program files\Jetico
2009-03-18 18:06 66,474 a------- E:\MGlogs.zip
2009-03-18 18:06 <DIR> --d----- E:\MGtools
2009-03-17 21:52 <DIR> --d----- e:\docume~1\admini~1\applic~1\Malwarebytes
2009-03-17 21:52 15,504 a------- e:\windows\system32\drivers\mbam.sys
2009-03-17 21:52 38,496 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-03-17 21:52 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware
2009-03-17 21:52 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-17 20:34 552 a------- e:\windows\system32\d3d8caps.dat
2009-03-17 18:01 104,960 ac------ e:\windows\system32\dllcache\userinit.exe
2009-03-17 18:00 1 a------- e:\windows\system32\uniq.tll
2009-03-17 18:00 10,240 a------- e:\windows\instsp2.exe
2009-03-17 07:16 <DIR> --d----- e:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-17 07:16 <DIR> --d----- e:\program files\SUPERAntiSpyware
2009-03-17 07:16 <DIR> --d----- e:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-03-17 07:14 1,339,834 a------- E:\MGtools.exe
2009-03-17 06:48 <DIR> --d----- e:\program files\CCleaner
2009-03-17 06:05 <DIR> --d----- e:\program files\Trend Micro
2009-03-04 19:56 41,085 a------- e:\windows\system32\EmilyFafsaPRintVersion
2009-03-02 23:04 0 a------- e:\windows\pcfriend.INI
2009-03-02 23:00 <DIR> --d----- e:\program files\PCFriendly
2009-02-28 21:09 <DIR> --d----- e:\docume~1\admini~1\applic~1\Any Video Converter
2009-02-28 21:09 <DIR> --d----- e:\program files\Any Video Converter
2009-02-26 23:07 16,958 a------- e:\windows\system32\evga.ico
2009-02-26 23:07 81,920 a------- e:\windows\system32\nvwddi.dll
2009-02-26 23:07 159,810 a------- e:\windows\system32\nvsvc32.exe
2009-02-26 23:07 5,644,288 a------- e:\windows\system32\nvoglnt.dll
2009-02-26 23:07 286,720 a------- e:\windows\system32\nvnt4cpl.dll
2009-02-26 23:07 229,376 a------- e:\windows\system32\nvmccs.dll
2009-02-26 23:07 86,016 a------- e:\windows\system32\nvmctray.dll
2009-02-26 23:07 581,632 a------- e:\windows\system32\nvhwvid.dll
2009-02-26 23:07 7,700,480 a------- e:\windows\system32\nvcpl.dll
2009-02-26 23:07 212,992 a------- e:\windows\system32\nvapi.dll
2009-02-26 23:07 35,840 a------- e:\windows\system32\nvcodins.dll
2009-02-26 23:07 35,840 a------- e:\windows\system32\nvcod.dll
2009-02-26 23:07 <DIR> --d----- e:\windows\system32\EVGA
2009-02-22 06:51 93 a------- e:\windows\BBW_INFO.INI
2009-02-22 06:51 <DIR> --d----- e:\docume~1\admini~1\applic~1\Plogue

==================== Find3M ====================

2009-03-17 18:00 104,960 a------- e:\windows\system32\userinit.exe
2009-03-17 18:00 14,336 a------- e:\windows\system32\svchost.exe
2009-03-17 18:00 101,376 a--sh--- e:\windows\system32\linivini.dll
2009-02-09 07:13 1,846,784 a------- e:\windows\system32\win32k.sys
2007-04-05 06:08 300,680 -------- e:\docume~1\alluse~1\applic~1\arclib.dll
2006-09-10 12:28 848 a--sh--- e:\windows\system32\KGyGaAvL.sys
2008-10-25 09:56 32,768 a--sh--- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 17:07:10.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:08 PM

Posted 24 March 2009 - 05:02 PM

Hello Draxe and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

If ComboFix does run it's full circle, the please try to install Avira Antivir as well, update and run a full system scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users