Trojan infection

[LilBob]

Friend asked me to check his pc out. It was loaded with errors. I believe it's infected with Vundo. Many window updates missing. He was running Norton AV (long expired) & AVG free. Installed avast but it won't allow me to update it. Tried installing MBAM (even saved it as test2) but it acts like it doesn't finish. Cannot run it even in safe mode. Tried running spybot, no go. chkdsk /r won't run, get a message stating 'Type of file system is raw. Chkdsk is not available for raw drives'. Ran HJT & corected all problems found or so I thought. Reran HJT & here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:52 PM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HiJackThis2.02.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {323C8321-13FB-4C15-A487-4E08FA5EF4D1} - C:\WINDOWS\system32\jkkICvUm.dll
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - C:\WINDOWS\system32\wvUoPffg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [08dea99a] rundll32.exe "C:\WINDOWS\system32\ovannqdi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: wvUoPffg - C:\WINDOWS\SYSTEM32\wvUoPffg.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3095 bytes


Cannot fix the following items:
O2 - BHO: (no name) - {323C8321-13FB-4C15-A487-4E08FA5EF4D1} - C:\WINDOWS\system32\jkkICvUm.dll
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - C:\WINDOWS\system32\wvUoPffg.dll
O20 - Winlogon Notify: wvUoPffg - C:\WINDOWS\SYSTEM32\wvUoPffg.dll

Also have no idea what this item is for:
O4 - HKLM\..\Run: [08dea99a] rundll32.exe "C:\WINDOWS\system32\ovannqdi.dll",b. It also listed in msconfig. Googling gives me no data.

wvUoPffg.dll suggests to me the trojan Vundo. Is there and AV/AM app that might help me eliminate this bug(one that'll allow me to update & run)? Would manualy deleting thes files from system32 & scanning registry deleting any values there (after backing up the registry of course) work?

Thanks for any help! Bob

 

[Turkbear]

Hi,
Looks like Vundo is involved..
See if any of this helps:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t43051.html[/t147031.html

To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[linney]

If you show both hidden and system files and then look in the system32 folder and sort the order into date modified, some suspect files will be those with latest created or modified date, but be careful what you do with those as many will be genuine. The really suspect files will be the ones that were created or modified in 1601, yes 1601, they will also have the hidden properties set. These will be listed at the front of the files after all the folders.

 

[LilBob]

Turkbear,
I ran VundoFix & VirtumondoBegone in normal & safe modes; it found 0 infected files.

I was finally able to run MBAM in safe mode. It found 654 items infected with Vundo, Zlob, TDSS and more. Rerun of MBAM in normal mode found 10 more infected items; all were removed. CHKDSK now works & shows file system as NTFS. Updated Windows to SP3, installing all patches and verifying all is up to date & working properly. Had shut down sys restore & will turn that back on before returning the tower to him. He’s a chef at a local restaurant, so I get a free meal & bottle of wine from him for my efforts.

Still have rundll32.exe "C:\WINDOWS\system32\ovannqdi.dll",b listed in msconfig. Can't find anything about this by googling. I have it disabled but thinking of using MSConfig Cleanup to remove it. All running smoothly. Ironically, a client brought their tower in & it's experiencing the same symptoms. I can't even get ComboFix to work. Already warned her I might need to do a clean install.

Thanks linney for that tip about modified date. I have to admit, I thought it was a typo @ first.

Bob

 

[Turkbear]

Hi,
If you right-click ovannqdi.dll in that directory what does it show as Properties..Version?



To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[LilBob]

That's strange,"C:\WINDOWS\system32\ovannqdi.dll",b doesn't exist there. Did a search for ovannqdi, including hidden & system files and that drew a blank. Running regedit,ovannqdi was found in a few areas,

HKEY_CURRENT\Software\Microsoft\Search Assistant\ACMru\5603
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\startupreg\08dea99a
and in HKEY_USERS

I'm leaning toward backing up the registry & removing the keys, recheck msconfig & clean it out if it still exists.

Thanks again for the help. Bob

 

[Turkbear]

Hi,
Sounds like the thing to do..MsConfig is probably getting its info from the registry keys you found.





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[gavm99]

By far the easiesy thing to do is put the hard drive into another computer that has an up to date Anti Virus package installed and scan it with this.

This way the files won't be in use, and it will clean the drive properly.

Thanks.

Gavin Moorhouse

http://www.lucidcomputersolutions.co.uk

Interested in my personal blog?

http://www.thelucidview.co.uk