Jump to content

Vundo help


az10

Recommended Posts

I've acquired the Vundo and I ran Malwarebytes and it got rid of some and supposedly got rid of the others after a reboot. Unfortunately, later in the day, it keeps coming back. Also, even after the reboot I am still getting some symptoms from the virus. I run Malwarebytes but it doesn't detect anything until I run it again later on.

Here are my log files.

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 2

11/5/2009 11:13:06 AM

mbam-log-2009-11-05 (11-13-06).txt

Scan type: Quick Scan

Objects scanned: 123612

Time elapsed: 24 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\kalomawu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{86165841-8419-423a-ba7f-6e8ec73c7eaf} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wihububit (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{86165841-8419-423a-ba7f-6e8ec73c7eaf} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dijulawof (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kalomawu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kalomawu.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\kalomawu.dll (Trojan.Vundo.H) -> Delete on reboot.

Link to post
Share on other sites

Here's my ComboFix log:

ComboFix 09-11-05.01 - Owner 11/05/2009 14:34.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.498 [GMT -5:00]

Running from: c:\documents and settings\Owner.Andy\Desktop\ComboFix.exe

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-647344410-2365357573-1185470651-500

c:\windows\kb913800.exe

c:\windows\system32\danirizi.dll

c:\windows\system32\kewomavo.dll

c:\windows\system32\laninejo.dll

c:\windows\system32\loyuwisa.dll

c:\windows\system32\nsprs.dll

c:\windows\system32\nuyuviju.dll

c:\windows\system32\wokiwiba.dll

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))

.

2009-11-03 19:37 . 2009-11-03 19:38 -------- d-----w- c:\documents and settings\Owner.Andy\Local Settings\Application Data\Temp

2009-11-03 03:12 . 2009-11-03 03:12 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla

2009-11-03 03:11 . 2009-11-03 03:11 128 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat

2009-11-03 03:00 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-03 03:00 . 2009-11-03 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-03 03:00 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-02 23:50 . 2009-11-02 23:50 -------- d-----w- c:\windows\system32\wbem\Repository

2009-11-01 16:15 . 2009-07-01 22:13 161816 ----a-w- c:\windows\RegGenieOnUninstall.exe

2009-11-01 16:15 . 2009-11-02 21:06 -------- d-----w- c:\program files\RegGenie

2009-10-27 16:18 . 2009-10-27 16:19 1407680 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe

2009-10-23 16:00 . 2009-10-23 16:29 -------- d-----w- c:\program files\rbryat

2009-10-15 07:10 . 2009-10-15 07:10 -------- d-----w- C:\6b92a6c40859a0df2acabadb

2009-10-14 17:27 . 2009-10-14 19:39 -------- d-----w- c:\documents and settings\Owner.Andy\Application Data\ICAClient

2009-10-14 17:26 . 2009-10-14 17:26 -------- d-----w- c:\windows\system32\Resource

2009-10-14 17:26 . 2009-10-14 17:26 -------- d-----w- c:\program files\Citrix

2009-10-14 17:25 . 2009-10-14 17:25 -------- d-----w- c:\documents and settings\OWNER~1~AND\LOCALS~1

2009-10-14 17:25 . 2009-10-14 17:25 -------- d-----w- c:\documents and settings\OWNER~1~AND

2009-10-13 04:38 . 2009-10-13 04:38 -------- d-----w- c:\documents and settings\Owner.Andy\Local Settings\Application Data\AIM

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-04 07:03 . 2006-10-12 03:23 -------- d-----w- c:\program files\McAfee

2009-11-03 16:47 . 2007-05-07 21:15 -------- d-----w- c:\documents and settings\Owner.Andy\Application Data\U3

2009-11-03 03:11 . 2009-08-04 21:18 50376 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-11-03 03:04 . 2006-12-21 23:27 -------- d-----w- c:\program files\DivX

2009-11-02 22:11 . 2006-10-12 03:05 -------- d-----w- c:\program files\Google

2009-11-02 21:06 . 2006-12-21 23:18 -------- d-----w- c:\documents and settings\Owner.Andy\Application Data\Azureus

2009-11-01 17:48 . 2006-06-19 04:25 50376 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-27 16:19 . 2007-01-17 03:45 -------- d--h--w- c:\documents and settings\Owner.Andy\Application Data\Move Networks

2009-10-27 16:19 . 2009-07-03 15:30 126970 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Move Networks\uninstall.exe

2009-10-27 16:19 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Move Networks\plugins\npqmp071505000010.dll

2009-10-25 21:42 . 2008-05-27 23:35 -------- d-----w- c:\program files\PokerStars

2009-10-15 07:05 . 2006-10-12 03:14 -------- d-----w- c:\program files\Microsoft Works

2009-09-28 23:34 . 2009-09-28 23:34 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-28 23:34 . 2006-10-12 03:08 -------- d-----w- c:\program files\Java

2009-09-28 23:33 . 2009-09-28 23:33 152576 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

2009-09-21 17:46 . 2009-09-21 17:46 -------- d-----w- c:\program files\TweetDeck

2009-09-19 03:06 . 2009-09-19 03:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2009-09-16 14:22 . 2007-02-07 02:35 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-09-16 14:22 . 2007-02-07 02:35 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-09-16 14:22 . 2007-02-07 02:35 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-09-16 14:22 . 2007-02-07 02:35 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-16 14:22 . 2007-02-07 02:35 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-14 20:07 . 2006-10-12 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-13 21:57 . 2008-10-04 20:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-09-11 14:03 . 2006-06-17 09:23 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-09 07:06 . 2009-03-13 20:21 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-04 20:45 . 2006-06-17 09:23 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2006-06-17 09:23 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2006-06-17 09:23 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2006-06-17 09:23 17408 ------w- c:\windows\system32\corpol.dll

2009-08-26 08:16 . 2006-06-17 09:24 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-04 21:24 . 2009-08-04 21:23 8050536 ----a-w- c:\program files\Firefox Setup 3.5.2.exe

2009-06-03 15:25 . 2009-06-03 15:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 39408]

"Google Update"="c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-06-03 30192]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-12 98304]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]

"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\bigz.exe.exe" [2009-09-10 1312080]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-10-11 2168360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=

"c:\\Program Files\\BigFix\\bigfix.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/4/2008 3:14 PM 92296]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/8/2007 3:10 AM 24652]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/11/2006 10:05 PM 30192]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [6/15/2007 2:58 PM 39048]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1929080933-648326475-2723996179-1006Core.job

- c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-03 19:36]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1929080933-648326475-2723996179-1006UA.job

- c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-03 19:36]

2006-11-05 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 19:00]

2009-10-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-07 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-07 16:22]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6956

FF - ProfilePath - c:\documents and settings\Owner.Andy\Application Data\Mozilla\Firefox\Profiles\ubrju9g1.default\

FF - prefs.js: browser.startup.homepage - hxxp://fantasysports.yahoo.com/

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\Owner.Andy\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\Owner.Andy\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

BHO-{b65be8f3-2e8c-42cd-bb6b-5948673348cc} - vonabuka.dll

HKCU-Run-Aim6 - (no file)

HKLM-Run-RegGenie Scheduler - c:\program files\RegGenie\RegGenieScheduler.exe

HKLM-Run-dudebezoye - wokiwiba.dll

SharedTaskScheduler-{43a80c43-0b98-40d8-8dcf-1125629a7f16} - c:\windows\system32\jiyigafa.dll

SSODL-lukugusim-{43a80c43-0b98-40d8-8dcf-1125629a7f16} - c:\windows\system32\jiyigafa.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-05 14:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3464)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\dllhost.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2009-11-05 14:55 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-05 19:54

Pre-Run: 130,743,918,592 bytes free

Post-Run: 130,899,738,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CFE64398C2C5C4621E6FBDE0FC705C73

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.