Results 1 to 5 of 5

Thread: Vundo and Rootkit Trojans on Dad's Work PC

  1. #1
    Junior Member
    Join Date
    Mar 2010
    Posts
    17

    Default Vundo and Rootkit Trojans on Dad's Work PC

    Hey everyone.

    My dad has a PC at his office and it was recently having problems. The most noticeable thing was that we couldn't access any internet browsers, like Firefox, IE, and even Google Chrome. It gave a little popup message saying "Error Writeprocessmemory" and that was it. I figured it must be malware and ran some diagnostic tools. My dad has BitDefender Internet Security installed and I ran that. BitDefender found several trojans categorized as "gen.rootkit.nixoa.1". I downloaded (on another computer) and ran MalwareBytes and it found one more called "vundo.h". The programs quarantined them and I deleted them myself, restarted, and ran the programs again. Nothing new showed up and I hoped that that might have been it.

    But the browsers still wouldn't open, giving the same error message. I rebooted in safe mode and the browsers worked fine, so I went into MSConfig and turned off stuff in the Startup menu until I could narrow down which process was causing the problem. It turned out to be "uw2000.exe". When I killed that process, browsers worked fine. But uw2000.exe is a program that my dad uses all the time. It's called Asian Suite and he uses that to write Chinese characters on the PC. He's been using it for years and it was never a problem. I uninstalled the program and reinstalled it from the original installation disc, but the same problem occured. Whenever Asian Suite was on, browsers couldn't open.

    Furthermore, BitDefender keeps popping up with these little notification windows that various programs are trying to connect to the internet. The program names are always random strings of letters, like "vdsklec" or something to that effect. I'm guessing there's still something hidden in the PC, but I don't know how to find it. BitDefender scans turn up nothing, neither does MalwareBytes, Super Anti-Spyware, nor the various rootkit scanning software I installed.

    My last resort would be to reformat the PC, but he has a lot of programs and drivers and files that he uses for work. I'd rather not have to back these up/reinstall if I can help it, and I also hear that some viruses (like vundo) are clever enough to hide themselves even from a reformat, so that's why I am asking this forum for help. I'm not at the PC right now since it's at his office, so I can't provide you with any logs from Hijack This or whatnot. But the first chance I'll get, I'll head over there and give you anything you need to know. For now, I hope someone can provide me with any kind of help I can get, or let me know what they need to help me. Thanks very much in advance, I really appreciate it because this malware is really ticking me off.

  2. #2
    Junior Member
    Join Date
    Mar 2010
    Posts
    17

    Default

    I'm at the office PC right now, but probably won't be here for too long. I noticed that BitDefender has a lot of stuff in its quarantine list, all from the folder "C:\WINDOWS\system32\drivers\".
    They have names like Modem.sys, pdcomp.sys, flpydisk.sys, etc.
    And they're all categorized as Gen:Rootkit.Nixoa.1
    As far as I know, these are all legitimate files, but could they all have been infected by malware? Let me know what to do with them.

    Also, here's the HJT log. Let me know if there's anything else I need to do. Thanks in advance!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:48:25 PM, on 3/4/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brss01a.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\SysMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Acer\Empowering Technology\eLock\LockServ.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\Program Files\Adobe\PageMaker 7.0\Pm70.exe
    C:\Program Files\Corel\Corel Graphics 12\Programs\CorelDRW.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Edward Lee\Desktop\asdflkj.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.us.acer.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
    O4 - HKLM\..\Run: [uyvtbjri] C:\Documents and Settings\NetworkService\Local Settings\Application Data\emiwwv\vqjosftav.exe
    O4 - HKLM\..\Run: [wgytmejt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\dmibqi\vgklsftav.exe
    O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\RunOnce: [Del C:\Documents and Settings\NetworkService\Local Settings\Application Data\dmibqi OnNextReboot] cmd.exe /c RD /S /Q "C:\Documents and Settings\NetworkService\Local Settings\Application Data\dmibqi"
    O4 - HKLM\..\RunOnce: [Del C:\Documents and Settings\NetworkService\Local Settings\Application Data\emiwwv OnNextReboot] cmd.exe /c RD /S /Q "C:\Documents and Settings\NetworkService\Local Settings\Application Data\emiwwv"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [uyvtbjri] C:\Documents and Settings\NetworkService\Local Settings\Application Data\emiwwv\vqjosftav.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [wgytmejt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\dmibqi\vgklsftav.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [uyvtbjri] C:\Documents and Settings\NetworkService\Local Settings\Application Data\emiwwv\vqjosftav.exe (User 'Default user')
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
    O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Google Update Service (gupdate1c9d331612288e2) (gupdate1c9d331612288e2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
    O23 - Service: SGCQP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SGCQP.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

    --
    End of file - 12481 bytes

  3. #3
    Junior Member
    Join Date
    Mar 2010
    Posts
    17

    Default

    Oh, I forget to mention:
    My dad says BitDefender found something else called "Exploit.PDF-JS..get"
    However, he told BitDefender to delete it and I don't know where it is now. But he says it keeps popping up. Please give us some help!

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,460

    Default

    Hello pklee,

    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
    Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count.
    Normally I'd suggest starting a new topic providing the HJT log with a link back to this thread however first we need to address this,
    Quote Originally Posted by pklee View Post
    My dad has a PC at his office
    Please see this post, Personal computers or.....

    Best regards,
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member
    Join Date
    Mar 2010
    Posts
    17

    Default

    Quote Originally Posted by tashi View Post
    Hello pklee,

    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
    Normally I'd suggest starting a new topic providing the HJT log with a link back to this thread however first we need to address this,

    Please see this post, Personal computers or.....

    Best regards,
    Oh, sorry! When I say "office" I mean his own personal office. He has his own small business and this is the only computer there on the network. It's not a company computer and there is no IT department. Thanks for pointing that out and sorry again! If you still suggest a new topic with a fresh HJT log, I'd be happy to do so.

    http://forums.spybot.info/showthread.php?t=56001
    Last edited by tashi; 2010-03-11 at 21:36. Reason: Added link to new topic :-)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •