Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo worm


  • This topic is locked This topic is locked
3 replies to this topic

#1 C Flint

C Flint

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 14 April 2009 - 10:10 AM

Good morning. I purchased a brand new Asus 1000HE last week. I began to customize it (install Firefox, ZoneAlarm, AVG, etc.) over the weekend and things seemed to be going well, although the computer was extremely slow on Sunday. I booted the machine this morning and AVG informed me I had the Trojan Horse Vundo on my system. I have searched the internet and concluded that I need help with this, as it is beyond my abilities. After running AVG, which stored several files in the vault, and running vundofix and combofix, I'm not entirely sure I still have the worm, although I suspect I do. The only functional issue I currently have is that AVG is unable to update (invalid update control CTF file). I would very much appreciate any assistance you could provide. Below is my DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Carrie at 11:02:16.04 on Tue 04/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.556 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programs\AVG\AVG8\avgrsx.exe
C:\Programs\AVG\AVG8\avgemc.exe
C:\Programs\AVG\AVG8\avgnsx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programs\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Programs\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programs\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.BIN
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Carrie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programs\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\programs\avg\avg8\avgtoolbar.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\programs\avg\avg8\avgtoolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ZoneAlarm Client] "c:\programs\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\programs\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\carrie\startm~1\programs\startup\starof~1.lnk - c:\program files\sun\staroffice 8\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programs\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-9 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-9 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-9 108552]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-9 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\programs\avg\avg8\avgemc.exe [2009-4-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\programs\avg\avg8\avgwdsvc.exe [2009-4-9 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-1-8 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2008-7-31 25216]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-4 38400]

=============== Created Last 30 ================

2009-04-12 10:40 1,071,088 a------- c:\windows\system32\MSCOMCTL.OCX
2009-04-12 10:40 137,000 a------- c:\windows\system32\MSMAPI32.OCX
2009-04-12 10:40 662,288 a------- c:\windows\system32\MSCOMCT2.OCX
2009-04-12 10:40 116,224 a------- c:\windows\system32\pdfcmnnt.dll
2009-04-12 10:40 23,552 a------- c:\windows\system32\MSMPIDE.DLL
2009-04-11 17:38 <DIR> --d----- c:\docume~1\carrie\applic~1\TaxCut
2009-04-11 17:36 <DIR> --d----- c:\program files\PDF995
2009-04-11 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TaxCut
2009-04-09 14:21 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-09 14:21 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-09 14:21 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-09 14:21 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-09 14:21 <DIR> --d----- c:\docume~1\carrie\applic~1\AVGTOOLBAR
2009-04-09 14:21 <DIR> --d----- c:\program files\AVG
2009-04-09 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-09 03:15 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-09 03:15 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-04-09 03:15 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-04-09 03:15 350,192 a------- c:\windows\system32\vsconfig.xml
2009-04-09 03:14 <DIR> --d----- c:\windows\Internet Logs
2009-04-09 02:57 <DIR> --d----- C:\Programs
2009-04-01 10:50 <DIR> --d----- c:\documents and settings\carrie\Bluetooth Software
2009-04-01 10:50 <DIR> --d----- c:\docume~1\carrie\applic~1\StarOffice8
2009-04-01 10:50 <DIR> --d----- c:\documents and settings\Carrie

==================== Find3M ====================

2009-04-13 19:36 64,000 a--sh--- c:\windows\system32\rezizafo.exe
2008-05-07 04:34 15,523,560 a------- c:\program files\U1 Setup.exe
2009-01-08 04:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 11:02:45.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Dakeyras

Dakeyras

    Anti-Malware Mammoth


  • Malware Response Team
  • 368 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Tundra
  • Local time:11:21 AM

Posted 26 April 2009 - 12:51 PM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi C Flint and welcome to Bleeping Computer :thumbup2:

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Next:

Please delete your current copy of DDS(If present).

Next:

Please download Rooter.exe to your desktop.
  • Double click on Rooter to start the application.
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt.
  • Post the contents of Rooter.txt in your next reply.
Next:

Please re-download to your desktop DDS from one of the links below:

Link1
Link2
Link3

Then Disable any script blocker you may have active/installed.
  • Double click on DDS to start the application.
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finish it will open 2 reports.
  • Copy/paste both reports back here and remove DDS from your desktop.
Note: Two logfiles will be generated with Notepad: DDS.txt and Attach.txt

When completed the above, please post back the following:
  • Any problems encountered and or further symptoms?
  • Rooter Log.
  • Both DDS logs. <-- Post them individually please.


#3 Dakeyras

Dakeyras

    Anti-Malware Mammoth


  • Malware Response Team
  • 368 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Tundra
  • Local time:11:21 AM

Posted 28 April 2009 - 04:28 AM

Hi :thumbup2:

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

#4 Dakeyras

Dakeyras

    Anti-Malware Mammoth


  • Malware Response Team
  • 368 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Tundra
  • Local time:11:21 AM

Posted 01 May 2009 - 03:31 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users