Thread: Vundo and Downloader-BDF
View Single Post
Old 08-09-2007, 02:43 AM   #1 (permalink)
burnsbabyburns
Registered User
 
Join Date: Aug 2007
Posts: 12
OS: XP


Vundo and Downloader-BDF
My computer has been running slow and I've been getting a lot of pop-ups, especially when using IE. so I downloaded McAfee virus scan and it found Vundo Trojans and some kind of Downloader-BDF. I used VundoFix and it showed about 8 Vundo trojans, but that program seemed to remove all but one (geebxxu.dll). My computer is still running slow and I'm still getting a ton of pop-ups. Any help would be appreciated.

Main log:

Deckard's System Scanner v20070807.62
Run by Default on 2007-08-09 at 04:13:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-08-09 08:14:02 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Default.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:08 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\qwerty12.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {4A0E7C3B-BE02-4174-940F-7C5CC34220E0} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: (no name) - {d4ff64f9-0d75-4393-8558-f51c0ec6b37f} - C:\WINDOWS\system32\IMGDIT.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [nvchost] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...90/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F66939-8984-49F3-B8FC-6A6C03FDE215}: Domain = domain.invalid
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: c:\windows\system32\geebxxu.dll
O20 - Winlogon Notify: IMGDIT - C:\WINDOWS\SYSTEM32\IMGDIT.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5368 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DomainService - c:\windows\system32\qwerty12.exe /service


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-30 14:10:31 250 --a------ C:\WINDOWS\Tasks\WebReg psc C3100 series.job


-- Files created between 2007-07-09 and 2007-08-09 -----------------------------

2007-08-09 04:07:10 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-09 04:07:10 0 d-------- C:\Program Files\SpywareBlaster
2007-08-09 0455 131425 --a------ C:\WINDOWS\yabyaa.dll
2007-08-09 03:29:34 71 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-08-09 03:29:34 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2007-08-09 03:25:00 131425 -----n--- C:\WINDOWS\pmnomj.dll
2007-08-09 03:22:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-09 03:22:17 0 d-------- C:\WINDOWS\LastGood
2007-08-09 02:21:02 38232 --a------ C:\WINDOWS\system32\IMGDIT.dll
2007-08-09 01:04:33 0 d-------- C:\VundoFix Backups
2007-08-09 00:50:04 164 --a------ C:\install.dat
2007-08-08 19:43:26 131426 --a------ C:\WINDOWS\cbxusp.dll
2007-08-08 14:30:20 131426 --a------ C:\WINDOWS\ddaxvs.dll
2007-08-08 13:34:42 75328 --a------ C:\WINDOWS\system32\mqshcefp.exe <Not Verified; ; DDC>
2007-08-06 19:13:59 55235 --a------ C:\WINDOWS\system32\qwerty12.exe
2007-08-06 18:58:06 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-08-06 13:44:32 0 d-------- C:\WINDOWS\McAfee.com
2007-08-06 12:51:58 131421 --a------ C:\WINDOWS\opqpqo.dll
2007-08-06 00:00:42 31254 --a------ C:\WINDOWS\system32\opnnkhg.dll
2007-08-05 22:51:15 245760 --a------ C:\WINDOWS\system32\ImxEx.dll
2007-08-05 22:25:26 0 d-------- C:\Program Files\Astro Gemini Software
2007-08-05 22:22:33 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-08-05 22:16:00 12494 -----n--- C:\WINDOWS\system32\geebxxu.dll
2007-08-05 22:12:54 31254 --a------ C:\WINDOWS\system32\mljhfcd.dll
2007-08-04 20:00:06 0 d-------- C:\Program Files\NCH Swift Sound
2007-08-04 20:00:06 0 d-------- C:\Documents and Settings\Default\Application Data\NCH Swift Sound
2007-08-04 19:59:34 0 d-------- C:\Program Files\NCH Software
2007-08-04 19:56:00 135168 --a------ C:\WINDOWS\system32\DSKernel2.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS Multimedia Filter Pack>
2007-08-04 19:55:51 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-08-04 19:55:18 0 d-------- C:\Program Files\Replay Converter
2007-08-04 19:52:21 0 d-------- C:\Documents and Settings\Default\Application Data\GetRightToGo
2007-08-04 19:37:31 0 d-------- C:\Program Files\FLVPlayer
2007-08-04 15:40:45 0 d-------- C:\Program Files\uTorrent
2007-08-02 20:56:23 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-02 20:54:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-02 20:35:11 98304 --a------ C:\WINDOWS\system32\SoftAheadCert.dll <Not Verified; SoftAhead Inc.; SoftAheadCert Module>
2007-07-26 14:36:09 0 d-------- C:\Documents and Settings\Default\Application Data\Move Networks
2007-07-26 05:08:27 0 d-------- C:\Documents and Settings\Default\Application Data\NewzToolz
2007-07-26 05:08:10 0 d-------- C:\Program Files\NewzToolz
2007-07-26 04:01:18 0 d-------- C:\Documents and Settings\Default\Application Data\PEERNET
2007-07-26 04:00:59 0 --a------ C:\WINDOWS\system32\PNFCC3
2007-07-26 04:00:59 0 d-------- C:\Documents and Settings\All Users\Application Data\PEERNET
2007-07-26 04:00:11 0 d-------- C:\Program Files\PEERNET File Conversion Center 3.0
2007-07-26 03:59:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 03:54:28 0 d-------- C:\Documents and Settings\Default\Application Data\WinRAR
2007-07-23 03:25:03 1165 --a------ C:\WINDOWS\mozver.dat
2007-07-22 14:52:19 0 d-------- C:\Documents and Settings\Default\Application Data\Talkback
2007-07-22 14:36:46 0 d-------- C:\Documents and Settings\Default\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2007-08-09 04:08:55 79536 --a------ C:\Documents and Settings\Default\Application Data\tmp403.tmp.exe
2007-08-09 04:07:20 4608 --a------ C:\Documents and Settings\Default\Application Data\tmp402.tmp.exe
2007-08-09 0455 124499 --a------ C:\Documents and Settings\Default\Application Data\tmp401.tmp.exe
2007-08-09 03:46:53 0 d-------- C:\Program Files\DellSupport
2007-08-09 03:46:45 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp1F0.tmp.exe
2007-08-09 03:31:38 79536 --a------ C:\Documents and Settings\Default\Application Data\tmp1D9.tmp.exe
2007-08-09 03:25:00 124499 --a------ C:\Documents and Settings\Default\Application Data\tmp66.tmp.exe
2007-08-08 19:45:28 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp85.tmp.exe
2007-08-08 19:43:27 79761 --a------ C:\Documents and Settings\Default\Application Data\tmp83.tmp.exe
2007-08-08 19:43:24 124693 --a------ C:\Documents and Settings\Default\Application Data\tmp82.tmp.exe
2007-08-08 19:41:41 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp81.tmp.exe
2007-08-08 19:36:39 79761 --a------ C:\Documents and Settings\Default\Application Data\tmp80.tmp.exe
2007-08-08 19:36:29 124693 --a------ C:\Documents and Settings\Default\Application Data\tmp7F.tmp.exe
2007-08-08 19:36:14 55330 --a------ C:\Documents and Settings\Default\Application Data\tmp7D.tmp.exe
2007-08-08 14:30:20 124693 --a------ C:\Documents and Settings\Default\Application Data\tmpF.tmp.exe
2007-08-08 14:30:08 55330 --a------ C:\Documents and Settings\Default\Application Data\tmpE.tmp.exe
2007-08-08 01:50:54 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp55.tmp.exe
2007-08-08 01:38:43 0 d-------- C:\Documents and Settings\Default\Application Data\uTorrent
2007-08-07 03:52:45 78517 --a------ C:\Documents and Settings\Default\Application Data\tmp54.tmp.exe
2007-08-07 03:52:45 78517 --a------ C:\Documents and Settings\Default\Application Data\tmp53.tmp.exe
2007-08-07 03:52:39 124743 --a------ C:\Documents and Settings\Default\Application Data\tmp52.tmp.exe
2007-08-07 03:52:18 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp51.tmp.exe
2007-08-06 19:21:01 78541 --a------ C:\Documents and Settings\Default\Application Data\tmp8D.tmp.exe
2007-08-06 19:20:48 124774 --a------ C:\Documents and Settings\Default\Application Data\tmp8C.tmp.exe
2007-08-06 19:19:32 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp8B.tmp.exe
2007-08-06 19:16:07 78541 --a------ C:\Documents and Settings\Default\Application Data\tmp89.tmp.exe
2007-08-06 19:16:05 124774 --a------ C:\Documents and Settings\Default\Application Data\tmp88.tmp.exe
2007-08-06 19:13:58 58798 --a------ C:\Documents and Settings\Default\Application Data\tmp87.tmp.exe
2007-08-06 16:04:17 0 d-------- C:\Program Files\McAfee.com
2007-08-06 12:52:46 78541 --a------ C:\Documents and Settings\Default\Application Data\tmpD.tmp.exe
2007-08-06 12:51:58 124774 --a------ C:\Documents and Settings\Default\Application Data\tmpC.tmp.exe
2007-08-06 12:48:57 58798 --a------ C:\Documents and Settings\Default\Application Data\tmpB.tmp.exe
2007-08-04 15:18:04 0 d-------- C:\Program Files\Common Files\Real
2007-07-26 09:22:23 0 d-------- C:\Program Files\Common Files
2007-07-02 11:43:29 0 d-------- C:\Program Files\MSXML 4.0
2007-06-25 12:46:33 0 d-------- C:\Documents and Settings\Default\Application Data\Image Zone Express
2007-05-30 14:09:51 117193 --a----c- C:\WINDOWS\hpoins11.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A0E7C3B-BE02-4174-940F-7C5CC34220E0}]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
08/09/2007 04:08 AM 64540 --a------ C:\WINDOWS\system32\tmp403.tmp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4ff64f9-0d75-4393-8558-f51c0ec6b37f}]
08/09/2007 02:21 AM 38232 --a------ C:\WINDOWS\system32\IMGDIT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 03:52 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [06/30/2004 03:33 PM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 06:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [01/11/2006 12:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/19/2004 01:13 PM]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [11/11/2005 05:00 PM]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]
"nvchost"="C:\WINDOWS\winlogon.exe" []
"SystemOptimizer"="C:\WINDOWS\yabyaa.dll" [08/09/2007 04:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\Default\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IMGDIT]
IMGDIT.dll 08/09/2007 02:21 AM 38232 C:\WINDOWS\SYSTEM32\IMGDIT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\geebxxu.dll




-- Hosts -----------------------------------------------------------------------

66.98.148.65 auto.search.msn.com
66.98.148.65 auto.search.msn.es


-- End of Deckard's System Scanner: finished at 2007-08-09 at 04:18:51 ---------
Attached Files
File Type: txt extra.txt (14.5 KB, 2 views)
Last edited by burnsbabyburns; 08-09-2007 at 02:50 AM.
burnsbabyburns is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here