Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Gen and Vundo Trojan (I think)

  • This topic is locked This topic is locked
7 replies to this topic

#1 nickbwj


  • Members
  • 4 posts
  • Local time:09:52 PM

Posted 26 April 2009 - 05:27 AM


When i started up my computer today, I saw 2 notifications. One was a blocked Generic Packed (Trojan). The other was a Vundo.gen.w (Trojan). Shortly after, there were 2 buffer overflow notifications. How do i go about removing this viruses from my computer? Thank you!

Here is my DDS log:
Attached is my Attach.txt generated by DDS.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Nick at 18:18:11.65 on 26/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.440 [GMT 8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\E-Book Systems\FlipViewer\FlipViewerLibrary.exe
C:\Program Files\Double Desktop Switcher\DoubleDesktop.exe
C:\Documents and Settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Double Desktop Switcher\DDE.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: {0000f058-a132-46d8-9b3e-e1461f4c455b} - c:\windows\system32\rwdglant.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: FlpLauncher Class: {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - c:\progra~1\e-book~1\flipvi~1\fvbho140.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: : {ca4e2c1d-30f1-4149-badc-1f9d14cd038c} - c:\windows\system32\lhlsdzq.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Dictionary.com Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Utopia Angel] "c:\utopia\angel\Angel.exe"
uRun: [Double Desktop Switcher] c:\program files\double desktop switcher\DoubleDesktop.exe
uRun: [Google Update] "c:\documents and settings\nick\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RegTool] c:\program files\regtool\RegTool.exe -boot
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [pidle] "c:\documents and settings\nick\application data\pidle\pidle.exe" 61A847B5BBF728103A9831466188719AB689201522886B092CBD44BD8689220221DD3257
uRun: [reader_s] c:\documents and settings\nick\reader_s.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [FlipViewer Library] "c:\program files\e-book systems\flipviewer\FlipViewerLibrary.exe" /showmode=hide
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRun: [svc] c:\program files\thunmail\testabd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
TCP: {1A33B61B-4CEA-43FA-8ADF-656BEBD78120} =
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: cqwkgvfk - lhlsdzq.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\applic~1\mozilla\firefox\profiles\cwzno4ic.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.com.sg
FF - component: c:\documents and settings\nick\application data\mozilla\firefox\profiles\cwzno4ic.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFAlert.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-10-20 17920]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-31 214024]
R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-26 256512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-2 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-31 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-31 144704]
R2 zoknhprx;Microsoft USB Generic Parent Helper;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-31 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-31 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-31 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-31 40552]
S2 ICF;ICF;c:\windows\system32\svchost.exe:ext.exe []
S3 DCamUSBTP10;Qmax Webcam;c:\windows\system32\drivers\TP6810.SYS [2007-10-27 241704]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-2-1 30192]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\nick\desktop\mle\ilvmoney1236.sys --> c:\documents and settings\nick\desktop\mle\IlvMoney1236.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-31 34216]
S3 npkycryp;npkycryp; [x]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 XDva208;XDva208; [x]

=============== Created Last 30 ================

2009-04-26 17:57 45,056 ac------ c:\windows\system32\VundoFixSVC.exe
2009-04-26 17:43 <DIR> -cd----- c:\program files\XoftSpySE
2009-04-26 17:19 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-26 17:06 <DIR> -cd----- c:\windows\system32\3361
2009-04-26 17:06 108,336 ac------ c:\windows\system32\MSWINSCK.OCX
2009-04-26 17:06 <DIR> -cd----- c:\windows\dhcp
2009-04-26 17:06 <DIR> -cdshr-- c:\program files\ThunMail
2009-04-26 17:05 55,296 ac------ c:\windows\system32\reader_s.exe
2009-04-26 17:05 55,296 ac------ c:\documents and settings\nick\reader_s.exe
2009-04-26 17:05 85,884 ac------ c:\windows\system32\drivers\e66d739a.sys
2009-04-26 17:05 43,520 ac------ C:\pdtivk.exe
2009-04-26 17:05 <DIR> -cd----- c:\docume~1\nick\applic~1\pidle
2009-04-26 17:05 2 ac------ C:\817757724
2009-04-25 22:28 54,156 ac--h--- c:\windows\QTFont.qfn
2009-04-25 22:28 1,409 ac------ c:\windows\QTFont.for
2009-04-19 23:31 <DIR> -cd----- c:\program files\AskBarDis
2009-04-01 21:57 <DIR> -cd----- c:\windows\system32\Adobe

==================== Find3M ====================

2009-04-26 17:19 182,656 ac------ c:\windows\system32\drivers\ndis.sys
2009-04-26 17:05 14,336 ac------ c:\windows\system32\svchost.exe
2009-03-25 11:06 40,552 ac------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 ac------ c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 ac------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 ac------ c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 ac------ c:\windows\system32\drivers\mferkdk.sys
2009-03-06 22:22 284,160 ac------ c:\windows\system32\pdh.dll
2009-02-20 16:10 666,112 ac------ c:\windows\system32\wininet.dll
2009-02-20 16:10 81,920 ac------ c:\windows\system32\ieencode.dll
2009-02-09 20:10 729,088 ac------ c:\windows\system32\lsasrv.dll
2009-02-09 20:10 714,752 ac------ c:\windows\system32\ntdll.dll
2009-02-09 20:10 617,472 ac------ c:\windows\system32\advapi32.dll
2009-02-09 20:10 401,408 ac------ c:\windows\system32\rpcss.dll
2009-02-09 19:13 1,846,784 ac------ c:\windows\system32\win32k.sys
2009-02-06 19:11 110,592 ac------ c:\windows\system32\services.exe
2009-02-06 19:06 2,145,280 ac------ c:\windows\system32\ntoskrnl.exe
2009-02-06 18:39 55,808 ac------ c:\windows\system32\sc.exe
2009-02-06 18:32 2,023,936 ac------ c:\windows\system32\ntkrnlpa.exe
2009-02-04 03:59 56,832 ac------ c:\windows\system32\secur32.dll

============= FINISH: 18:18:52.07 ===============

Thank you!

Attached Files

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 26 April 2009 - 06:01 AM

Hi nickbwj,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 nickbwj

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:52 PM

Posted 26 April 2009 - 06:29 AM

Thanks m0le. I've already subscribed to the topic and am awaiting your reply. Thank you for your help!

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 26 April 2009 - 02:10 PM

Hi nickbjw,

Bad news I'm afraid :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

This infection has no proper fix as yet, sorry.

Posted Image
m0le is a proud member of UNITE

#5 nickbwj

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:52 PM

Posted 28 April 2009 - 06:39 AM

oh all right, i already completely wiped my C drive where windows resides... My documents reside in D drive, will Virut infect these files? they are mostly word documents, music and video files... Thanks for the help!

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 28 April 2009 - 06:56 AM

Hi nickbwj,

No, you need to completely reinstall, wiping all the drives.

You should burn all your non-infectable files (such as your Word documents) to CD and rescan everything before you put it back on the new installation

The infectable file extensions are: .EXE and .SCR files and possibly any of these may be infected: htm, html, asp and php

This is a new infection and this is the advice we are being given by the BC security experts.
Posted Image
m0le is a proud member of UNITE

#7 nickbwj

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:52 PM

Posted 29 April 2009 - 06:56 AM

ooh okay. Thanks so much. =)

#8 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:10:52 PM

Posted 29 April 2009 - 05:27 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users