Computing.Net > Forums > Security and Virus > Vundo Trojan efcdeec.dll

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

Vundo Trojan efcdeec.dll

Reply to Message Icon
Original Message
Name: Legalto
Date: September 23, 2007 at 14:05:06 Pacific
Subject: Vundo Trojan efcdeec.dll
OS: XP Pro
CPU/Ram: 3.0ghz, 1.5G
Model/Manufacturer: custom
Comment:

Hey guys, I recently got the vundo trojan virus. I'm currently running McAfee and it keeps on popping up saying that I have the virus and the file path is given by: C:\WINDOWS\system32\efcdeec.dll
I'm having trouble getting rid of this one. I've already tried symantec's FixVundo. I've also tried VundoFix V6.5.9 to no avail. Guys, I'm at a total loss here. Can someone help me out?


Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: September 23, 2007 at 14:27:25 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Run Vundofix again.

Post the log located at C:\Vundofix.txt.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report Offensive Follow Up For Removal

Response Number 2
Name: Kaithlyn
Date: September 24, 2007 at 07:25:49 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

in case you still need help try simplified vundo removal. but i think (and hope) that what jabuck suggested have worked.

tc;


Report Offensive Follow Up For Removal

Response Number 3
Name: Legalto
Date: September 24, 2007 at 16:15:17 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

Okay, before you responded I tried using VirtumundoBeGone which stopped the annoying pop ups from McAfee telling me that I have the virus. However, I'm still getting popups for the winfreeanti virus software. When I run VundoFix it's still detecting the efcdeec.dll file.

These are the files that it is detecting:
efcdeec.dll
nqtss.bak1
nqtss.bak2
nqtss.ini
nqtss.exe

I then proceded to remove them. It asked me to restart saying it was unable to remove them. On the reboot it comes back up and I click scan again and then remove. It then tells me that I need to reboot again to remove them which in turn doesn't work (surprise surprise). Also, right after I click the remove button after reboot a message comes up saying that the computer will restart in 60 seconds.

For some reason now, McAfee just stopped working and I can no longer log into gtalk. I get a "could not authenticate to server" error.


Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: September 24, 2007 at 18:57:09 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

And it will get worse.

Post the Combofix log then a Hijack This log requested in response #1 please.


Report Offensive Follow Up For Removal

Response Number 5
Name: Legalto
Date: September 25, 2007 at 16:42:06 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

Hey guys, I got a copy of spyware doctor and it seems to have fixed the problem. I've still done as you've asked since I realize it may not have removed the issue. Here is Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:45 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

--
End of file - 9849 bytes

Here is the ComboFix log:

ComboFix 07-09-21.2 - "Austin" 2007-09-25 19:30:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aomabsnw.ini
C:\WINDOWS\system32\wnsbamoa.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-25 19:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 19:26 <DIR> d-------- C:\WINDOWS\system32\config\SYSTEM~1\APPLIC~1\PC Tools
2007-09-24 19:50 85,056 --a------ C:\WINDOWS\system32\xwjuavdn.dll
2007-09-24 19:40 2,009,855 ---hs---- C:\WINDOWS\system32\nqtss.ini2
2007-09-24 19:39 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-09-24 19:39 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-09-24 19:39 40,264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-09-24 19:39 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-09-24 19:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-09-24 19:39 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\PC Tools
2007-09-24 19:17 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-24 19:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-24 18:25 85,056 --a------ C:\WINDOWS\system32\kbcwdowg.dll
2007-09-23 17:24 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\InstallShield
2007-09-23 16:41 <DIR> d-------- C:\VundoFix Backups
2007-09-23 10:23 <DIR> d-------- C:\Program Files\Vidalia Bundle
2007-09-23 10:23 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\Vidalia
2007-09-23 10:23 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\tor
2007-09-22 12:36 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-09-22 12:19 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\Lavasoft
2007-09-22 12:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-20 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-17 19:45 <DIR> d-------- C:\Program Files\Activision
2007-09-16 20:43 <DIR> d-------- C:\WINDOWS\system32\config\SYSTEM~1\APPLIC~1\Google
2007-09-13 21:07 43 --a------ C:\DOCUME~1\Austin\RUNME.bat
2007-09-13 21:07 2,560 --a------ C:\DOCUME~1\Austin\install.exe
2007-09-13 21:05 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-09-11 21:58 <DIR> d-------- C:\Program Files\ATITool
2007-09-11 17:05 <DIR> d-------- C:\ATI
2007-09-11 16:55 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\ATI
2007-09-11 16:46 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2007-09-11 16:42 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-09-11 16:42 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-09-11 16:42 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2007-09-11 16:42 156,671 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-09-11 16:42 <DIR> d-------- C:\Program Files\ATI Technologies
2007-09-11 16:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-09-11 08:52 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-09-11 08:52 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-09-11 08:50 <DIR> d-------- C:\Program Files\Futuremark
2007-09-11 00:35 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2007-09-11 00:35 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-09-11 00:35 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2007-09-11 00:35 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-09-10 22:46 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-09-10 22:46 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-09-10 22:46 <DIR> d-------- C:\Program Files\D-Tools
2007-09-10 22:10 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys
2007-09-10 22:10 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-09-06 08:36 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-09-06 08:35 <DIR> d-------- C:\Program Files\The Rosetta Stone
2007-09-06 00:18 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-09-03 22:07 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-03 22:06 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-09-03 22:05 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-03 22:05 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-03 22:04 <DIR> dr-h----- C:\MSOCache
2007-08-30 22:15 <DIR> d-------- C:\Program Files\iTunes
2007-08-30 22:15 <DIR> d-------- C:\Program Files\iPod
2007-08-30 22:15 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\Apple Computer
2007-08-30 22:14 <DIR> d-------- C:\Program Files\QuickTime
2007-08-30 22:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-30 22:13 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-30 22:13 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-30 22:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-30 22:09 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-26 01:12 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-26 01:12 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\Bioshock
2007-08-26 01:09 <DIR> d-------- C:\Program Files\2K Games
2007-08-25 23:58 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-08-25 23:58 <DIR> d-------- C:\DOCUME~1\Austin\APPLIC~1\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-25 19:33 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-09-25 1OCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-25 0rogram Files\McAfee
2007-09-24 2rogram Files\Steam
2007-09-23 1rogram Files\InstallShield Installation Information
2007-09-23 1rogram Files\Outspark
2007-09-23 1rogram Files\NCSoft
2007-09-23 1rogram Files\Image-Line
2007-09-23 1rogram Files\VstPlugins
2007-09-16 2rogram Files\Google
2007-09-12 00:17 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-12 00:16 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-11 1rogram Files\Common Files\InstallShield
2007-09-11 0OCUME~1\Austin\APPLIC~1\nView_Wallpaper
2007-08-21 19:33 46432 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-08-21 19:09 352256 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-21 19:07 268800 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-08-21 19:07 2417664 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-08-21 18:59 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-21 18:59 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-08-21 18:58 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-08-21 18:58 122880 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-08-21 18:57 487424 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-08-21 18:56 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-08-21 18:48 8306688 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-08-21 18:47 3091392 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-08-21 18:35 1586816 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-08-21 18:21 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-08-21 18:19 266240 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-08-21 18:17 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-08-21 18:15 172032 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-08-21 18:13 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-08-21 18:11 450560 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 0rogram Files\Diablo II
2007-08-21 09:35 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-21 09:34 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-08-21 09:34 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-08-21 09:34 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-08-21 09:26 94208 --a------ C:\WINDOWS\DIIUnin.exe
2007-08-18 1rogram Files\MSN Messenger
2007-08-18 1OCUME~1\Austin\APPLIC~1\GetRightToGo
2007-08-18 0rogram Files\Common Files\LogiShrd
2007-08-18 0rogram Files\Logitech
2007-08-18 0OCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-08-18 0OCUME~1\ALLUSE~1\APPLIC~1\LogiShrd
2007-08-16 0rogram Files\MSXML 6.0
2007-08-16 0rogram Files\MSXML 4.0
2007-08-12 19:10 22328 --a------ C:\DOCUME~1\Austin\APPLIC~1\PnkBstrK.sys
2007-08-12 19:09 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-08-02 2rogram Files\Synergy
2007-08-02 2rogram Files\Common Files\DirectX
2007-08-02 2OCUME~1\ALLUSE~1\APPLIC~1\Outspark
2007-08-02 2rogram Files\Microsoft CAPICOM 2.1.0.2
2007-08-02 1rogram Files\Bethesda Softworks
2007-08-02 1OCUME~1\Austin\APPLIC~1\vlc
2007-08-02 1rogram Files\BitLord
2007-08-02 1rogram Files\ImgBurn
2007-08-02 1OCUME~1\Austin\APPLIC~1\WinRAR
2007-08-02 1OCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-02 1rogram Files\Common Files\McAfee
2007-08-02 1rogram Files\McAfee.com
2007-08-02 1OCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-08-02 1OCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-02 1OCUME~1\Austin\APPLIC~1\Talkback
2007-08-02 1OCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-02 1rogram Files\PowerISO
2007-08-02 1rogram Files\Bonjour
2007-08-02 1rogram Files\Realtek Sound Manager
2007-08-02 1rogram Files\AvRack
2007-08-02 1rogram Files\Intel
2007-08-02 1rogram Files\VideoLAN
2007-08-02 1rogram Files\Common Files\Macrovision Shared
2007-08-02 1rogram Files\microsoft frontpage
2007-08-02 1rogram Files\Common Files\Symantec Shared
2007-08-02 1OCUME~1\Austin\APPLIC~1\ImgBurn
2007-08-02 1rogram Files\Windows Media Connect 2
2007-08-02 09:59 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-02 09:59 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-02 0OCUME~1\Austin\APPLIC~1\Google
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-25 23:06 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [2007-03-12 11:40]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 17:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-08-25 23:02]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 07:30:54]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys
S3 EraserUtilDrvI2;EraserUtilDrvI2;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI2.sys
S3 WBHWDOCT;Winbond GPIO Driver1;C:\WINDOWS\system32\drivers\WBHWDOCT.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\CD_Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 05:45:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-15 08:25:42 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-08-02 17:36:09 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-25 19:35:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-25 19:37:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-25 19:37
.
--- E O F ---



Report Offensive Follow Up For Removal


Response Number 6
Name: jabuck
Date: September 25, 2007 at 18:03:27 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

To finish cleaning up do the following:

Run Hijack This, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Download test.exe from this link http://swandog46.geekstogo.com/test.exe

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.

Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\WINDOWS\system32\xwjuavdn.dll
C:\WINDOWS\system32\nqtss.ini2 C:\WINDOWS\system32\kbcwdowg.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Paste the text copied to clipboard into this window by pressing (Ctrl+V).

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

After the restart, it creates a log file that should open with the results of Avenger’s actions.
This log file will be located at C:\avenger.txt
Please copy/paste the content of C:\avenger.txt into your reply.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


Report Offensive Follow Up For Removal

Response Number 7
Name: Legalto
Date: September 25, 2007 at 18:11:40 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

Alright thanks man.


Report Offensive Follow Up For Removal

Response Number 8
Name: jabuck
Date: September 25, 2007 at 18:43:29 Pacific
Subject: Vundo Trojan efcdeec.dll
Reply: (edit)

Glad we could help.


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Vundo Trojan efcdeec.dll

Comments:
            
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



How often do you use Computing.Net?

Every Day
Once a Week
Once a Month
This Is My First Time!


View Results

Poll Finishes In 3 Days.
Discuss in The Lounge


Another Clueless In Need of Help

VM Win Server 2003 Admin password

Connecting Vista to an XP network

XP won't let me log in

Internet Cuts Out Every Few Minutes

All Posts Awaiting Replies