Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer/vundo Using Rootkit (i Think)


  • Please log in to reply
4 replies to this topic

#1 Dansully

Dansully

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 01 June 2007 - 04:53 PM

Let me first start out by saying thank you for this site, I have come across so many tools and fixes that have saved computers for me in the past. This one has me stumped.
I've run Vundofix, VirtumondeBegone, Smitrem, Smitfraudfix, Brute FOrce Uninstaller (SurfSideKick). The computer is stuck in safe mode, I cannot load the MSConfig program to get it back to a Normal startup. I tried a utility that is supposed to make an openable copy of MSconfig but it failed. I cant run Disk Cleanup I DLed Cleanup! and that fails when I run it, cannot complete (My assumption is its trying to delete a temp file that is running under an explorer shell). Im at my WHIT'S END! Any Help would be greatly appreciated. Adaware also cannot complete a scan, Spybot S&D scans, finds what I know is there, but wont clean it. Vundofix, BFU and Virumondebegone all should start when windows starts to finish the cleaning but they arent.

Logfile of HijackThis v1.99.1
Scan saved at 3:11:00 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\GoToAssist_chat2way__317_en.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~CL3.tmp\g2a_customerchat2w.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell.com/
F2 - REG:system.ini:
UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\gsjeie83df.dll -
{8D5849A2-93F3-429D-FF34-260A2068897C} -
C:\WINDOWS\system32\gsjeie83df.dll
O2 - BHO: MSEvents Object - {B2B2D6D2-601D-4A23-A676-7A6B59B8C234} -
C:\WINDOWS\Registration\bvacb.dll (file missing)
O3 - Toolbar: Norton Internet Security -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton Internet Security\Norton
AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event
Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program
Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media
Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch
Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
Files\AOL\1136927156\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel
Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe"
-minimize
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common
Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTOKHome Customer Console] C:\Program
Files\iTOK\Customer\CustomerClient.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [{8003768C-0C78-1033-1013-050506210001}] "C:\Program
Files\Common Files\{8003768C-0C78-1033-1013-050506210001}\Update.exe"
te-110-12-0000213
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe
"C:\WINDOWS\system32\rjrwlsjq.dll",setvm
O4 - HKLM\..\Run: [jjiawgys] C:\WINDOWS\system32\mgmpimti.exe
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\system32\KB_963493.exe"
O4 - HKLM\..\Run: [pwywghxA] C:\WINDOWS\pwywghxA.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and
Settings\Administrator\Desktop\vundofix.exe"
O4 - HKLM\..\RunOnce: [SeekmoToolbar] cmd /c "rmdir "C:\Program
Files\SeekmoToolbar" /s /q"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -
%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file
missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{EA219350-B25F-4304-B0A7-CA6C15D25C3F}:
NameServer = 85.255.115.61,85.255.112.97
O17 -
HKLM\System\CCS\Services\Tcpip\..\{FF9F8847-7BDE-4D47-8D5A-DB018E26FB70}:
NameServer = 85.255.115.61,85.255.112.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
85.255.115.61 85.255.112.97
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
85.255.115.61 85.255.112.97
O20 - Winlogon Notify: bvacb - C:\WINDOWS\Registration\bvacb.dll (file
missing)
O20 - Winlogon Notify: even010 - even010.dll (file missing)
O20 - Winlogon Notify: pmnkkjj - C:\WINDOWS\SYSTEM32\pmnkkjj.dll
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319}
- C:\WINDOWS\system32\spope.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America
Online, Inc - C:\Program Files\Common
Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation
- C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
C:\Program Files\Viewpoint\Common\ViewpointService.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:13 AM

Posted 02 June 2007 - 06:57 AM

Hi Dansully, :flowers:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

P.S. I am travelling on Sunday so will not be available at the forum.

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:13 AM

Posted 02 June 2007 - 03:09 PM

Hi Dansully, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Your log shows a very dangerous Trojan is residing on your PC: Troj/Agent-ECUwhich is a backdoor Trojan for the Windows platform. It is known that the trojan can communicate with remote computers, download and run code, send emails and redirect browser requests.

Another one is: Trojan-Downloader.Win32.Small.ddx which is considered a high risk trojan downloader

High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.

Next to that you have several nasty infections on your computer e.g. Vundo and Wareout.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Install a firewall. There are several good ones and for free available:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

Though the Trojans have been identified and can be killed, because of their backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Visit the following sites for more information on internet theft and when to reformat!

Should you decide not to follow the above advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before to come to a final decision, feel free to ask.

Please let me know your decision.

#4 Dansully

Dansully
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 04 June 2007 - 02:08 PM

thank you so much for the reply, thats my worst fear.....If it is a Backdoor system trojan is it save to backup my data, word docs, Id avoid email as thats how these things tend to propogate, but MP3s, would they be safe to save before reformatting?

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:13 AM

Posted 10 June 2007 - 06:32 AM

Hi Dansully, :thumbsup:

thank you so much for the reply, thats my worst fear.....If it is a Backdoor system trojan is it save to backup my data, word docs, Id avoid email as thats how these things tend to propogate, but MP3s, would they be safe to save before reformatting?


I allready referred to here for tips on reformatting/re-installing. Before doing anything read the information presented.
Do you have an external harddisk or an alternative storage system (USB stick, CD's) large enough to copy your entire disk so you can be sure that you don't lose anything (bookmarks, e-mail, passwords, IP dadresses, usernames etc.)? There are some free programmes to help you do the job like: WinBackup 1.86. But remember to scan files with an antivirus before installing them again on your reformatted computer, since they came from an infected computer.

Furthermore don't forget to change your passwords!

If you need additional help or advice feel free to ask for it in this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users