Thread: Vundomonde infection - located in system32
View Single Post
Old 12-06-2008, 01:39 AM   #1 (permalink)
gotenkskun
Registered User
 
Join Date: Dec 2008
Posts: 13
OS: xp service pack 3


Vundomonde infection - located in system32
I appreciate you taking the time to look at this.

I picked this up when trying to install programs to make my Mechwarrior 2 disc compatible with windows xp (at least I think I did).

Symptoms:
Random popup every time I change webpages. The popup always appears in a new tab in the same window. Does this for both Mozilla and IE.

DDS (Version 1.0) - NTFSx86
Run by Jonathan at 2:20:22.45 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.563 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Jonathan\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {ee9b4520-965a-4209-9d71-56da0a710be1} - c:\windows\system32\diwunawo.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [<NO NAME>]
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dovenuwafi] Rundll32.exe "c:\windows\system32\degipeme.dll",s
mRun: [CPM7719aed2] Rundll32.exe "c:\windows\system32\hafurive.dll",a
dRun: [<NO NAME>]
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\marewugo.dll c:\windows\system32\fedozuta.dll c:\windows\system32\rovopere.dll c:\windows\system32\sagopise.dll c:\windows\system32\hafurive.dll c:\windows\system32\fopihofu.dll c:\windows\system32\fosepoyo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosepoyo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosepoyo.dll
LSA: Notification Packages = scecli c:\windows\system32\fopihofu.dll

============= SERVICES / DRIVERS ===============

R IKFileSec;IKFileSec; []
R IKSysFlt;IKSysFlt; []
R IKSysSec;IKSysSec; []
R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2007-8-21 104000]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\mcshield.exe" [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\vstskmgr.exe" [2006-11-30 54872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-2-13 24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-8-21 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-8-21 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-8-21 168776]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []

=============== Created Last 30 ================

2008-12-06 02:03 250 a------- c:\windows\gmer.ini
2008-12-06 01:24 <DIR> --dshr-- C:\cmdcons
2008-12-06 01:24 <DIR> --d----- c:\windows\setup.pss
2008-12-06 01:24 <DIR> --d----- c:\windows\setupupd
2008-12-05 23:42 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-05 23:40 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-05 22:19 120 ---sh--- c:\windows\system32\atasepeb.ini
2008-12-05 21:19 120 ---sh--- c:\windows\system32\ikoniyot.ini
2008-12-05 00:20 120 ---sh--- c:\windows\system32\ototafaw.ini
2008-12-04 23:20 120 ---sh--- c:\windows\system32\omerohav.ini
2008-12-04 01:36 326 a------- c:\windows\wininit.ini
2008-12-04 00:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-04 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-02 01:25 <DIR> --d----- C:\VundoFix Backups
2008-12-01 05:12 1,296,222 ---sh--- c:\windows\system32\ofodasab.ini
2008-11-30 19:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-30 19:29 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-30 19:29 <DIR> --d----- c:\docume~1\jonathan\applic~1\SUPERAntiSpyware.com
2008-11-30 17:11 1,296,222 ---sh--- c:\windows\system32\obapuvaf.ini
2008-11-30 05:11 1,296,222 ---sh--- c:\windows\system32\uzubeyaf.ini
2008-11-30 03:17 <DIR> --d----- c:\program files\DOSBox-0.72
2008-11-30 03:09 <DIR> --d----- C:\Dosbox
2008-11-30 03:08 24 a--sh--- c:\windows\SFEDBC627.tmp
2008-11-30 03:08 <DIR> --d----- c:\program files\SlySoft
2008-11-30 03:05 <DIR> --d----- C:\MECH2
2008-11-30 02:08 <DIR> --d----- c:\documents and settings\jonathan\WINDOWS
2008-11-30 01:40 <DIR> --d----- c:\program files\VDMSound
2008-11-30 01:30 66,336 a---h--- C:\ABBOADFJ
2008-11-30 01:18 <DIR> --d-h--- c:\windows\PIF
2008-11-29 23:33 66,336 a---h--- C:\BHCBBGBK
2008-11-21 23:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-12 01:06 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 01:06 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-05 22:19 88,863 a--sh--- c:\windows\system32\bepesata.dll
2008-12-05 21:19 65,698 a--sh--- c:\windows\system32\sapayuse.dll
2008-12-05 21:19 88,208 -------- c:\windows\system32\toyinoki.dll
2008-12-05 00:20 88,345 a--sh--- c:\windows\system32\wafatoto.dll
2008-12-04 23:20 86,581 -------- c:\windows\system32\vahoremo.dll
2008-12-04 23:20 64,053 a--sh--- c:\windows\system32\dijuzihi.dll
2008-12-03 22:54 64,565 a--sh--- c:\windows\system32\popiwoba.dll
2008-12-03 10:54 94,261 a--sh--- c:\windows\system32\subobuhi.dll
2008-12-03 10:54 85,557 -------- c:\windows\system32\sovanavo.dll
2008-12-02 10:53 86,581 -------- c:\windows\system32\kejowigi.dll
2008-12-02 10:53 93,749 a--sh--- c:\windows\system32\hahonuhe.dll
2008-12-01 22:53 86,581 -------- c:\windows\system32\rutihuku.dll
2008-12-01 21:53 65,076 a--sh--- c:\windows\system32\seyohehu.dll
2008-12-01 05:12 88,116 -------- c:\windows\system32\basadofo.dll
2008-11-30 05:11 88,116 -------- c:\windows\system32\fayebuzu.dll
2008-11-30 05:11 94,772 a--sh--- c:\windows\system32\zilebobi.dll
2008-10-24 05:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 19:10 7,680 a------- c:\windows\system32\ff_vfw.dll
2008-09-15 18:14 524,288 a------- c:\windows\system32\DivXsm.exe
2008-09-15 18:14 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-09-15 18:12 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-09-15 18:12 200,704 a------- c:\windows\system32\ssldivx.dll
2008-09-15 18:12 196,608 a------- c:\windows\system32\dtu100.dll
2008-09-15 18:12 81,920 a------- c:\windows\system32\dpl100.dll
2008-09-15 18:12 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-09-15 18:12 344,064 a------- c:\windows\system32\dpus11.dll
2008-09-15 18:12 294,912 a------- c:\windows\system32\dpu11.dll
2008-09-15 18:12 294,912 a------- c:\windows\system32\dpu10.dll
2008-09-15 18:12 57,344 a------- c:\windows\system32\dpv11.dll
2008-09-15 18:12 53,248 a------- c:\windows\system32\dpuGUI10.dll
2008-09-15 18:11 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-09-15 18:11 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-09-15 18:11 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-09-15 18:11 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-09-15 18:11 683,520 a------- c:\windows\system32\DivX.dll
2008-09-15 18:11 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-15 18:11 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 19:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-05 21:19 65,698 a--sh--- c:\windows\system32\diwunawo.dll
2008-09-05 21:19 65,698 a--sh--- c:\windows\system32\fopihofu.dll
2008-09-05 21:19 11,264 a--sh--- c:\windows\system32\petatusa.dll
2008-09-04 23:20 13,312 a--sh--- c:\windows\system32\zesupoma.dll
2008-09-05 02:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 2:20:56.79 ===============
Attached Files
File Type: txt gmer.txt (2.5 KB, 1 views)
File Type: txt Attach.txt (9.9 KB, 0 views)
gotenkskun is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here