Thread: [SOLVED] Suspected "vundo" problem
View Single Post
Old 06-12-2008, 07:14 PM   #4 (permalink)
Katana
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,357
OS: W2K SP4 + XP SP2 + Vista


Re: Suspected "vundo" problem
Quote:
Originally Posted by Dannyb0y View Post
Many thanks for your swift response.
You just got lucky is all

Do you Overclock your computer, or more to the point, do you know what winsys2.exe relates to ?

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/258782-suspected-vundo-problem.html#post1533853

Comment:: Vundo Files

Collect::[4]
C:\WINDOWS\system32\onextdnj.dll
C:\WINDOWS\system32\uonhppfv.dll
C:\WINDOWS\system32\idmsqgwu.dll
C:\WINDOWS\system32\wwbijorm.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25996837-9A25-4D8C-A62D-A1294FF307C1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F7634AE-50F3-4E15-8805-BDC7BF7C19A8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DBFA7AE-38CD-4861-8E2F-33519FCDE725}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E25EE903-37EB-467B-B1F0-F71063F6B8C8}]


[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E25EE903-37EB-467B-B1F0-F71063F6B8C8}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcBrsQI]
  • Save this as CFScript.txt and place it on your desktop.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\system32\winsys2.exe
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • ComboFix log
  • VirusTotal Results
  • Kaspersky Log
  • Installed Programs list
  • How are things running now ?
__________________
Katana is offline