Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with nasty Vundo trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 shorthappylife

shorthappylife

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 11 October 2009 - 09:02 PM

Hi everyone,

Well, it appears that my PC has acquired quite a nasty virus. Brief history: my wife tells me that she clicked in a popup in IE8 that said McAfee virusscan had found a problem. Of course, this was malware masquerading as McAfee and she soon ended up with an explosion of popup windows and a huge slowdown in network speed. I checked Windows Defender and found that it had been disabled. (Uh oh.) Then I opne my virus software (Trend Micro Office Scan) and perform a system scan; the report says it has detected Cryp_FakeAV-17 and deleted the file C:\windows\system32\pimimoso.exe. Of course, there were still problems. (Oh crap.) I then proceeded to download and run Spybot Search and Destroy. This identified my problem as the Vundo trojan and was able to fix most problems except one (I think a regsitry entry or a dll -- I apologize, I was not taking very good notes at this point and was unable to find a nice summary in the logs). It advised me to reboot and then allow Spybot to start scanning on reboot. I followed the instructions, but Spybot still could not completely remove the virus. I then proceeded to download and run Malwarebytes. It identified a Registy value as infected and was "supposedly" able to successfully remove the problem: (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nedepesat (Trojan.Vundo.H) -> Quarantined and deleted successfully.) When I ran a subsequent scan of Spybot on reboot, it did not find any instances of Vundo or Virtumonde. However, when I started IE8 to make sure that I had all the latest Windows updates, the problem began anew. I tried a few other things to fix the problem: ran Windows Updates and ensured everything was up-to-date; updated my Java plugin to the latest version; and deleted all temporary internet files for all users. Reran both Spybot and Malwarebytes, but still get this malware/virus creeping back. I know things are going downhill when I see on of the following:
- upon reboot, I get an error message saying that C:\windows\system32\repudana.dll could not be found/loaded.
- I end up with a random process tied to an .exe file in c:\widows\temp. The name of this file constantly changes (eg: TF4FB5.exe, ) and, if I terminate the process, the .exe file dissappears. The icon for the .exe file is a dog. I couldn't find any of these random process names in a process library search and SpyBot's process viewer cannot identify the associated company. (Neither can Windows Defender's Software Explorer.)

Below is the DDS report as suggested in the Prep Guide. I have also attached the "Attach.txt" report from that program as well as the "ark.txt" report from RootRepeal. I would appreciate any help or advice members of the community could offer. I would prefer not to completely wipe the hard-disks and do a complete reinstall for two reasons:
(a) this PC came with Vista and I rolled back to XP so that my wife could use Citrix for her work and so we wouldn't lose a bunch of software. It was not easy to find all the drivers and I foolishly did not make a comprehensive list of all the drivers that did work. Sigh.
(:( feel like this stupid virus would win if I am forced to "nuke" the system.

Best regards,
shorthappylife

DDS (Ver_09-09-29.01) - NTFSx86
Run by xxxx at 20:35:26.32 on Sun 10/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1167 [GMT -4:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\JHSecure\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\OfficeScan NT\pccntupd.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Downloads\vundo removal\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: TurboPasswords Helper: {e3e1b903-f307-4d2a-b987-d942a2f0a24f} - c:\program files\turbopasswords\TurboPasswordsBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TurboPasswords Bar: {a9120c4f-5402-4572-9113-94661623d420} - c:\program files\turbopasswords\TurboPasswordsBHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [OfficeScanNT Monitor] "c:\program files\officescan nt\pccntmon.exe" -HideWindow
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [nedepesat] Rundll32.exe "c:\windows\system32\repudana.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/30.66/uploader2.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mesirowfinancial.webex.com/client/T25L/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\sotuwino.dll jedepona.dll c:\windows\system32\ c:\windows\system32\
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kopupedub - {dc261a69-ab7c-45ad-8ade-c9fbbe7ef52d} - c:\windows\system32\sotuwino.dll
SSODL: zomavoyal - {19df57bc-5aaa-4f56-b599-fd0d0e77c4d5} - No File
STS: jugezatag: {dc261a69-ab7c-45ad-8ade-c9fbbe7ef52d} - c:\windows\system32\sotuwino.dll
STS: gahurihor: {3aff7d2b-189e-49d4-a57b-ca24db9790d5} - c:\windows\system32\reperizu.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli setevari.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-10-13 54776]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-4-4 353672]
R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\officescan nt\OfcPfwSvc.exe [2006-4-20 233552]
R2 TmFilter;Trend Micro Filter;c:\program files\officescan nt\tmxpflt.sys [2005-11-9 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\officescan nt\tmpreflt.sys [2005-11-9 36368]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-10-5 468768]
S3 iscFlash;iscFlash;\??\c:\windows\system32\drivers\iscflash.sys --> c:\windows\system32\drivers\iscflash.sys [?]

=============== Created Last 30 ================

2009-10-10 23:09 <DIR> --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-10-10 23:09 <DIR> --dsh--- c:\documents and settings\steve\IETldCache
2009-10-10 21:06 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-10 21:06 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-10 20:01 <DIR> --d----- C:\VundoFix Backups
2009-10-10 12:39 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-10 10:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-10 10:39 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-10 10:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 10:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-08 22:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-08 22:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-07 16:38 <DIR> --d----- c:\program files\iPod
2009-10-07 16:38 <DIR> --d----- c:\program files\iTunes
2009-10-07 16:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-06 23:31 6,754,712 a------- c:\windows\system32\drivers\lvuvc.sys
2009-10-06 23:31 539,160 a------- c:\windows\system32\LVUI2RC.dll
2009-10-06 23:31 539,160 a------- c:\windows\system32\LVUI2.dll
2009-10-06 23:31 416,280 a------- c:\windows\system32\lvcodec2.dll
2009-10-06 23:31 266,828 a------- c:\windows\system32\drivers\LVAFT.cfg
2009-10-06 23:31 265,496 a------- c:\windows\system32\drivers\lvrs.sys
2009-10-06 23:31 199,192 a------- c:\windows\system32\lvci1201278.dll
2009-10-06 23:31 114,712 a------- c:\windows\system32\drivers\lvpopflt.sys
2009-10-06 23:31 82,289 a------- c:\windows\system32\lvcoinst.ini
2009-10-06 23:31 34,068 a------- c:\windows\system32\Repository.reg
2009-10-06 23:30 23,832 a------- c:\windows\system32\drivers\lvuvcflt.sys
2009-09-29 12:46 <DIR> --d----- c:\windows\ie8updates
2009-09-29 12:44 <DIR> -cd-h--- c:\windows\ie8
2009-09-29 12:42 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-09-29 12:42 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-09-29 12:42 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-09-29 12:42 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-29 12:42 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-09-29 12:42 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-09-13 10:50 <DIR> --d----- c:\program files\AskBarDis

==================== Find3M ====================

2009-10-09 07:53 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-10-09 07:53 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-10-01 20:15 25,396 a---h--- c:\windows\system32\mlfcache.dat
2009-09-13 10:50 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2008-04-11 22:40 24,032 a------- c:\docume~1\steve\applic~1\GDIPFONTCACHEV1.DAT
2009-07-08 10:31 1,051,308 a--sh--- c:\windows\system32\gasowihu_9d4.VIR
2009-07-08 22:33 1,050,284 a--sh--- c:\windows\system32\mapenelo_a88.VIR
2009-07-07 22:31 1,050,796 a--sh--- c:\windows\system32\pimimoso_990.VIR
2009-07-07 22:31 27,136 a--sh--- c:\windows\system32\zepepewa.dll

============= FINISH: 20:36:22.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shorthappylife

shorthappylife
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 17 October 2009 - 08:50 AM

Hello everyone,

Time was a limiting factor for me, so I ended up wiping out my C: partition and reinstalling Windows XP. Thanks to those who took a look at my post.

Best regards,
shorthappylife

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 AM

Posted 23 October 2009 - 07:38 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users