Vundomonde infection - located in system32

gotenkskun · 12-06-2008, 01:39 AM

I appreciate you taking the time to look at this.

I picked this up when trying to install programs to make my Mechwarrior 2 disc compatible with windows xp (at least I think I did).

Symptoms:
Random popup every time I change webpages. The popup always appears in a new tab in the same window. Does this for both Mozilla and IE.

DDS (Version 1.0) - NTFSx86
Run by Jonathan at 2:20:22.45 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.563 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Jonathan\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {ee9b4520-965a-4209-9d71-56da0a710be1} - c:\windows\system32\diwunawo.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [<NO NAME>]
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dovenuwafi] Rundll32.exe "c:\windows\system32\degipeme.dll",s
mRun: [CPM7719aed2] Rundll32.exe "c:\windows\system32\hafurive.dll",a
dRun: [<NO NAME>]
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\marewugo.dll c:\windows\system32\fedozuta.dll c:\windows\system32\rovopere.dll c:\windows\system32\sagopise.dll c:\windows\system32\hafurive.dll c:\windows\system32\fopihofu.dll c:\windows\system32\fosepoyo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosepoyo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fosepoyo.dll
LSA: Notification Packages = scecli c:\windows\system32\fopihofu.dll

============= SERVICES / DRIVERS ===============

R IKFileSec;IKFileSec; []
R IKSysFlt;IKSysFlt; []
R IKSysSec;IKSysSec; []
R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2007-8-21 104000]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\mcshield.exe" [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\vstskmgr.exe" [2006-11-30 54872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-2-13 24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-8-21 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-8-21 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-8-21 168776]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []

=============== Created Last 30 ================

2008-12-06 02:03 250 a------- c:\windows\gmer.ini
2008-12-06 01:24 <DIR> --dshr-- C:\cmdcons
2008-12-06 01:24 <DIR> --d----- c:\windows\setup.pss
2008-12-06 01:24 <DIR> --d----- c:\windows\setupupd
2008-12-05 23:42 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-05 23:40 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-05 22:19 120 ---sh--- c:\windows\system32\atasepeb.ini
2008-12-05 21:19 120 ---sh--- c:\windows\system32\ikoniyot.ini
2008-12-05 00:20 120 ---sh--- c:\windows\system32\ototafaw.ini
2008-12-04 23:20 120 ---sh--- c:\windows\system32\omerohav.ini
2008-12-04 01:36 326 a------- c:\windows\wininit.ini
2008-12-04 00:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-04 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-02 01:25 <DIR> --d----- C:\VundoFix Backups
2008-12-01 05:12 1,296,222 ---sh--- c:\windows\system32\ofodasab.ini
2008-11-30 19:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-30 19:29 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-30 19:29 <DIR> --d----- c:\docume~1\jonathan\applic~1\SUPERAntiSpyware.com
2008-11-30 17:11 1,296,222 ---sh--- c:\windows\system32\obapuvaf.ini
2008-11-30 05:11 1,296,222 ---sh--- c:\windows\system32\uzubeyaf.ini
2008-11-30 03:17 <DIR> --d----- c:\program files\DOSBox-0.72
2008-11-30 03:09 <DIR> --d----- C:\Dosbox
2008-11-30 03:08 24 a--sh--- c:\windows\SFEDBC627.tmp
2008-11-30 03:08 <DIR> --d----- c:\program files\SlySoft
2008-11-30 03:05 <DIR> --d----- C:\MECH2
2008-11-30 02:08 <DIR> --d----- c:\documents and settings\jonathan\WINDOWS
2008-11-30 01:40 <DIR> --d----- c:\program files\VDMSound
2008-11-30 01:30 66,336 a---h--- C:\ABBOADFJ
2008-11-30 01:18 <DIR> --d-h--- c:\windows\PIF
2008-11-29 23:33 66,336 a---h--- C:\BHCBBGBK
2008-11-21 23:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-12 01:06 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 01:06 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-05 22:19 88,863 a--sh--- c:\windows\system32\bepesata.dll
2008-12-05 21:19 65,698 a--sh--- c:\windows\system32\sapayuse.dll
2008-12-05 21:19 88,208 -------- c:\windows\system32\toyinoki.dll
2008-12-05 00:20 88,345 a--sh--- c:\windows\system32\wafatoto.dll
2008-12-04 23:20 86,581 -------- c:\windows\system32\vahoremo.dll
2008-12-04 23:20 64,053 a--sh--- c:\windows\system32\dijuzihi.dll
2008-12-03 22:54 64,565 a--sh--- c:\windows\system32\popiwoba.dll
2008-12-03 10:54 94,261 a--sh--- c:\windows\system32\subobuhi.dll
2008-12-03 10:54 85,557 -------- c:\windows\system32\sovanavo.dll
2008-12-02 10:53 86,581 -------- c:\windows\system32\kejowigi.dll
2008-12-02 10:53 93,749 a--sh--- c:\windows\system32\hahonuhe.dll
2008-12-01 22:53 86,581 -------- c:\windows\system32\rutihuku.dll
2008-12-01 21:53 65,076 a--sh--- c:\windows\system32\seyohehu.dll
2008-12-01 05:12 88,116 -------- c:\windows\system32\basadofo.dll
2008-11-30 05:11 88,116 -------- c:\windows\system32\fayebuzu.dll
2008-11-30 05:11 94,772 a--sh--- c:\windows\system32\zilebobi.dll
2008-10-24 05:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 19:10 7,680 a------- c:\windows\system32\ff_vfw.dll
2008-09-15 18:14 524,288 a------- c:\windows\system32\DivXsm.exe
2008-09-15 18:14 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-09-15 18:12 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-09-15 18:12 200,704 a------- c:\windows\system32\ssldivx.dll
2008-09-15 18:12 196,608 a------- c:\windows\system32\dtu100.dll
2008-09-15 18:12 81,920 a------- c:\windows\system32\dpl100.dll
2008-09-15 18:12 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-09-15 18:12 344,064 a------- c:\windows\system32\dpus11.dll
2008-09-15 18:12 294,912 a------- c:\windows\system32\dpu11.dll
2008-09-15 18:12 294,912 a------- c:\windows\system32\dpu10.dll
2008-09-15 18:12 57,344 a------- c:\windows\system32\dpv11.dll
2008-09-15 18:12 53,248 a------- c:\windows\system32\dpuGUI10.dll
2008-09-15 18:11 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-09-15 18:11 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-09-15 18:11 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-09-15 18:11 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-09-15 18:11 683,520 a------- c:\windows\system32\DivX.dll
2008-09-15 18:11 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-15 18:11 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 19:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-05 21:19 65,698 a--sh--- c:\windows\system32\diwunawo.dll
2008-09-05 21:19 65,698 a--sh--- c:\windows\system32\fopihofu.dll
2008-09-05 21:19 11,264 a--sh--- c:\windows\system32\petatusa.dll
2008-09-04 23:20 13,312 a--sh--- c:\windows\system32\zesupoma.dll
2008-09-05 02:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 2:20:56.79 ===============

sUBs · 12-06-2008, 07:05 AM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

gotenkskun · 12-06-2008, 09:17 AM

ComboFix 08-12-05.06 - Jonathan 2008-12-06 10:03:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.548 [GMT -6:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\atasepeb.ini
c:\windows\system32\basadofo.dll
c:\windows\system32\bepesata.dll
c:\windows\system32\dijuzihi.dll
c:\windows\system32\diwunawo.dll
c:\windows\system32\fayebuzu.dll
c:\windows\system32\fopihofu.dll
c:\windows\system32\hahonuhe.dll
c:\windows\system32\ikoniyot.ini
c:\windows\system32\kejowigi.dll
c:\windows\system32\obapuvaf.ini
c:\windows\system32\ofodasab.ini
c:\windows\system32\omerohav.ini
c:\windows\system32\ototafaw.ini
c:\windows\system32\petatusa.dll
c:\windows\system32\popiwoba.dll
c:\windows\system32\rutihuku.dll
c:\windows\system32\sapayuse.dll
c:\windows\system32\seyohehu.dll
c:\windows\system32\sovanavo.dll
c:\windows\system32\subobuhi.dll
c:\windows\system32\toyinoki.dll
c:\windows\system32\uzubeyaf.ini
c:\windows\system32\vahoremo.dll
c:\windows\system32\wafatoto.dll
c:\windows\system32\zesupoma.dll
c:\windows\system32\zilebobi.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 02:03 . 2008-12-06 02:12 250 --a------ c:\windows\gmer.ini
2008-12-05 23:59 . 2008-12-05 23:59 <DIR> d-------- c:\documents and settings\Administrator
2008-12-05 23:42 . 2008-12-06 01:12 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-05 23:42 . 2008-12-06 01:12 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-04 01:36 . 2008-12-06 00:58 326 --a------ c:\windows\wininit.ini
2008-12-04 00:42 . 2008-12-06 01:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 00:42 . 2008-12-06 01:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 01:25 . 2008-12-02 01:25 <DIR> d-------- C:\VundoFix Backups
2008-11-30 19:29 . 2008-12-05 23:40 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-30 19:29 . 2008-12-05 23:40 <DIR> d-------- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com
2008-11-30 19:29 . 2008-11-30 19:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-30 03:17 . 2008-12-05 23:17 <DIR> d-------- c:\program files\DOSBox-0.72
2008-11-30 03:09 . 2008-11-30 03:20 <DIR> d-------- C:\Dosbox
2008-11-30 03:08 . 2008-11-30 04:00 <DIR> d-------- c:\program files\SlySoft
2008-11-30 03:08 . 2008-11-30 03:08 24 --ahs---- c:\windows\SFEDBC627.tmp
2008-11-30 03:05 . 2008-11-30 20:09 <DIR> d-------- C:\MECH2
2008-11-30 02:08 . 2008-11-30 02:08 <DIR> d-------- c:\documents and settings\Jonathan\WINDOWS
2008-11-30 01:40 . 2008-11-30 01:40 <DIR> d-------- c:\program files\VDMSound
2008-11-30 01:30 . 2008-11-30 01:30 66,336 --ah----- C:\ABBOADFJ
2008-11-30 01:18 . 2008-11-30 01:18 <DIR> d--h----- c:\windows\PIF
2008-11-29 23:33 . 2008-11-29 23:33 66,336 --ah----- C:\BHCBBGBK
2008-11-21 23:43 . 2008-11-21 23:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-12 01:06 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 01:06 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 16:07 --------- d-----w c:\program files\Steam
2008-12-06 05:59 --------- d-----w c:\program files\Azureus
2008-12-06 05:57 --------- d-----w c:\documents and settings\Jonathan\Application Data\Azureus
2008-11-22 05:44 --------- d-----w c:\program files\AIM6
2008-11-22 05:43 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-22 05:43 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-02 09:46 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 09:36 --------- d-----w c:\program files\DivX
2008-11-02 09:31 --------- d-----w c:\program files\ffdshow
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-05 08:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-08 1410296]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-11 212992]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 339968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 32768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-29 185632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 32768]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-02-22 32768]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-03 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Steam\\steamapps\\hunterje\\half-life\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Documents and Settings\\Jonathan\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\naPrdMgr.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-02-13 24652]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba50f9a7-4f77-11dc-bb6b-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{ee9b4520-965a-4209-9d71-56da0a710be1} - c:\windows\system32\diwunawo.dll
HKLM-Run-dovenuwafi - c:\windows\system32\degipeme.dll
HKLM-Run-CPM7719aed2 - c:\windows\system32\hafurive.dll

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\1a50qg8x.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 10:07:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-06 10:13:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 16:13:00

Pre-Run: 3,847,372,800 bytes free
Post-Run: 3,789,758,464 bytes free

176 --- E O F --- 2008-11-30 05:26:33

sUBs · 12-06-2008, 09:22 AM

Quote:

2008-11-30 01:30 . 2008-11-30 01:30 66,336 --ah----- C:\ABBOADFJ
2008-11-29 23:33 . 2008-11-29 23:33 66,336 --ah----- C:\BHCBBGBK

Not sure what these 2 files are. If you have no idea as well, you can delete them

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

gotenkskun · 12-06-2008, 09:18 PM

Sorry for the late response. I had to go to work. Here is the Kaspersky scan.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 14:27:54
Records in database: 1440355
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 276726
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 05:18:15

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\basadofo.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fayebuzu.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zilebobi.dll.vir Infected: Trojan-Spy.Win32.Agent.fdp 1

The selected area was scanned.

sUBs · 12-06-2008, 09:30 PM

Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

Uninstall ComboFix ... do not skip this step
This process will perform some post cleanup measures.
Do this by going to to Start > Run & typing in ComboFix /u
ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

gotenkskun · 12-06-2008, 09:59 PM

Thanks a bunch for this. You all are great.

12-06-2008, 07:05 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Re: Vundomonde infection - located in system32 Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that.

12-06-2008, 09:17 AM	#3 (permalink)
gotenkskun Registered User Join Date: Dec 2008 Posts: 13 OS: xp service pack 3	Re: Vundomonde infection - located in system32 ComboFix 08-12-05.06 - Jonathan 2008-12-06 10:03:10.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.548 [GMT -6:00] Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\atasepeb.ini c:\windows\system32\basadofo.dll c:\windows\system32\bepesata.dll c:\windows\system32\dijuzihi.dll c:\windows\system32\diwunawo.dll c:\windows\system32\fayebuzu.dll c:\windows\system32\fopihofu.dll c:\windows\system32\hahonuhe.dll c:\windows\system32\ikoniyot.ini c:\windows\system32\kejowigi.dll c:\windows\system32\obapuvaf.ini c:\windows\system32\ofodasab.ini c:\windows\system32\omerohav.ini c:\windows\system32\ototafaw.ini c:\windows\system32\petatusa.dll c:\windows\system32\popiwoba.dll c:\windows\system32\rutihuku.dll c:\windows\system32\sapayuse.dll c:\windows\system32\seyohehu.dll c:\windows\system32\sovanavo.dll c:\windows\system32\subobuhi.dll c:\windows\system32\toyinoki.dll c:\windows\system32\uzubeyaf.ini c:\windows\system32\vahoremo.dll c:\windows\system32\wafatoto.dll c:\windows\system32\zesupoma.dll c:\windows\system32\zilebobi.dll E:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-06 02:03 . 2008-12-06 02:12 250 --a------ c:\windows\gmer.ini 2008-12-05 23:59 . 2008-12-05 23:59 <DIR> d-------- c:\documents and settings\Administrator 2008-12-05 23:42 . 2008-12-06 01:12 <DIR> d-------- c:\program files\Spyware Doctor 2008-12-05 23:42 . 2008-12-06 01:12 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-12-04 01:36 . 2008-12-06 00:58 326 --a------ c:\windows\wininit.ini 2008-12-04 00:42 . 2008-12-06 01:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-04 00:42 . 2008-12-06 01:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-02 01:25 . 2008-12-02 01:25 <DIR> d-------- C:\VundoFix Backups 2008-11-30 19:29 . 2008-12-05 23:40 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-30 19:29 . 2008-12-05 23:40 <DIR> d-------- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com 2008-11-30 19:29 . 2008-11-30 19:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-30 03:17 . 2008-12-05 23:17 <DIR> d-------- c:\program files\DOSBox-0.72 2008-11-30 03:09 . 2008-11-30 03:20 <DIR> d-------- C:\Dosbox 2008-11-30 03:08 . 2008-11-30 04:00 <DIR> d-------- c:\program files\SlySoft 2008-11-30 03:08 . 2008-11-30 03:08 24 --ahs---- c:\windows\SFEDBC627.tmp 2008-11-30 03:05 . 2008-11-30 20:09 <DIR> d-------- C:\MECH2 2008-11-30 02:08 . 2008-11-30 02:08 <DIR> d-------- c:\documents and settings\Jonathan\WINDOWS 2008-11-30 01:40 . 2008-11-30 01:40 <DIR> d-------- c:\program files\VDMSound 2008-11-30 01:30 . 2008-11-30 01:30 66,336 --ah----- C:\ABBOADFJ 2008-11-30 01:18 . 2008-11-30 01:18 <DIR> d--h----- c:\windows\PIF 2008-11-29 23:33 . 2008-11-29 23:33 66,336 --ah----- C:\BHCBBGBK 2008-11-21 23:43 . 2008-11-21 23:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore 2008-11-12 01:06 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 01:06 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 16:07 --------- d-----w c:\program files\Steam 2008-12-06 05:59 --------- d-----w c:\program files\Azureus 2008-12-06 05:57 --------- d-----w c:\documents and settings\Jonathan\Application Data\Azureus 2008-11-22 05:44 --------- d-----w c:\program files\AIM6 2008-11-22 05:43 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-22 05:43 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads 2008-11-02 09:46 --------- d-----w c:\program files\Combined Community Codec Pack 2008-11-02 09:36 --------- d-----w c:\program files\DivX 2008-11-02 09:31 --------- d-----w c:\program files\ffdshow 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-09-05 08:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480] "Steam"="c:\program files\Steam\Steam.exe" [2008-10-08 1410296] "PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-11 212992] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 339968] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 32768] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-29 185632] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SoundMan"="SOUNDMAN.EXE" [2004-12-01 c:\windows\SOUNDMAN.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 32768] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] c:\documents and settings\All Users\Start Menu\Programs\Startup\ ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-02-22 32768] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-03 394856] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Steam\\steamapps\\hunterje\\half-life\\hl.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Documents and Settings\\Jonathan\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\McAfee\\Common Framework\\naPrdMgr.exe"= R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-02-13 24652] S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba50f9a7-4f77-11dc-bb6b-806d6172696f}] \Shell\AutoRun\command - D:\Setup.exe . - - - - ORPHANS REMOVED - - - - BHO-{ee9b4520-965a-4209-9d71-56da0a710be1} - c:\windows\system32\diwunawo.dll HKLM-Run-dovenuwafi - c:\windows\system32\degipeme.dll HKLM-Run-CPM7719aed2 - c:\windows\system32\hafurive.dll . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FireFox -: Profile - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\1a50qg8x.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 10:07:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\McAfee\Common Framework\Mctray.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\McAfee\VirusScan Enterprise\mcshield.exe c:\program files\AIM6\aolsoftware.exe c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe c:\program files\McAfee\Common Framework\naPrdMgr.exe . ************************************************************************ . Completion time: 2008-12-06 10:13:10 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-06 16:13:00 Pre-Run: 3,847,372,800 bytes free Post-Run: 3,789,758,464 bytes free 176 --- E O F --- 2008-11-30 05:26:33

12-06-2008, 09:18 PM	#5 (permalink)
gotenkskun Registered User Join Date: Dec 2008 Posts: 13 OS: xp service pack 3	Re: Vundomonde infection - located in system32 Sorry for the late response. I had to go to work. Here is the Kaspersky scan. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, December 6, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, December 06, 2008 14:27:54 Records in database: 1440355 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ Scan statistics: Files scanned: 276726 Threat name: 2 Infected objects: 3 Suspicious objects: 0 Duration of the scan: 05:18:15 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\basadofo.dll.vir Infected: Trojan.Win32.Monder.aamw 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\fayebuzu.dll.vir Infected: Trojan.Win32.Monder.aamw 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\zilebobi.dll.vir Infected: Trojan-Spy.Win32.Agent.fdp 1 The selected area was scanned.

12-06-2008, 09:30 PM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Re: Vundomonde infection - located in system32 Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix ---------------------- Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure: Uninstall ComboFix ... do not skip this step This process will perform some post cleanup measures. Do this by going to to Start > Run & typing in ComboFix /u ANTIVIRUS SOFTWARE It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Microsoft Windows Update → http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Kindly respond to this thread once more so we can mark this thread as resolved.

12-06-2008, 09:59 PM	#7 (permalink)
gotenkskun Registered User Join Date: Dec 2008 Posts: 13 OS: xp service pack 3	Re: Vundomonde infection - located in system32 Thanks a bunch for this. You all are great.