Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vurlt/vundo/something services buff overflow


  • Please log in to reply
2 replies to this topic

#1 camoffat

camoffat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 April 2009 - 12:03 PM

I have a virus on the family PC. Not sure how I got it, but Macfee system gaurd poped up and showed several registry changes requested...Internet Explorer brower helpers, setting to turn of file option in Explore (to hide system files). Attpeted to add a nnnnnnnnnn.exe to system startup (RUN), etc.

In got in, not sure how. I've run many virus scanners (Macfee, MRI [Geek squad tools set - weird thing is when it goes into VRAM OS mode it does not see my primary drive and Windows instance!! Almost like it hidden, so it never can scrub while unconnected to Windows], Seach and dystroy, etc) and my one remaining issue (that I can see;) )is....

When I reboot and system starts up Mcafee alert pops up with C:\Windows\System32\Service.exe Buffer Overflow prevented! Twice this pops up and then goes away..

Please help me. I have a pretty good understanding of the system and have the tools (I think - I downloaded "Hijack This" already)

Thank you in advance,
Clif

BC AdBot (Login to Remove)

 


#2 camoffat

camoffat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 April 2009 - 12:17 PM

Shoot, forgot to add....

The RUN entry was a "Diagnostics Manager" running the %TEMP%\nnnnnnnnn.exe file (where nnnn were random numbers). I would delete the RUN entery (regedit) and the nnnnn.exe file but somthing would recreate the entry (or try to and macfee would block it) and the file in %TEMP% again.

There was a payload dropped in c:\windows\system32 - several files [same date/time stamp] I could delete, but a jh9fgo4ksdgf.dll was locked by the system (registry entry). I did delete the file (in safe mode CMD) and the entry.

Thanks again!!

#3 camoffat

camoffat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 April 2009 - 04:26 PM

Please dirregard. I searched further and used PrevX 3.0 it found 7 rootkit installed and cleaned them ALL!! Awesome product, it found the infection that ALL other scanners did not!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users