denzilla Posted December 2, 2008 I've got a PC that was infected with vundo and fakealert variants. I rana full scan using the most recent version of SAS and todays defs, but its dlls, reg keys are being regenerated almost immediately after removal. HJT also has the same problem. I'm not currently at the PC, but I did zip up 3 dll files that regenerate as well as a HJT logfile. The dll files are named fodulivu.dll, ligutafo.dll, and kovihihi.dll. Here is this HTJ log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:08:02 PM, on 12/1/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\windows\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\ofps.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\windows\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\windows\system32\ctfmon.exe C:\Program Files\CCleaner\CCleaner.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O2 - BHO: (no name) - {0f4eaeab-2c34-40f3-b8f9-1ef4af5aa2f1} - C:\windows\system32\fodulivu.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'NETWORK SERVICE') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1267341423 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UUU.int O17 - HKLM\Software\..\Telephony: DomainName = UUU.int O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = UUU.int O20 - AppInit_DLLs: C:\windows\system32\kovihihi.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 5266 bytes These are the keys I deleted: O2 - BHO: (no name) - {0f4eaeab-2c34-40f3-b8f9-1ef4af5aa2f1} - C:\windows\system32\fodulivu.dll O4 - HKLM\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s O4 - HKUS\S-1-5-19\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: C:\windows\system32\kovihihi.dll These keys come back a fews seconds after deletion. I'm reporting this in order to help the SAS community, but it would be nice to to get some assistance with this as well if possible. I will be back at the PC tomorrow morning if there is some more info that needs gathered. Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 2, 2008 Send the files to samples AT superantispyware.com and then submit a support request here: https://www.superantispyware.com/precreateticket.html Share this post Link to post Share on other sites
denzilla Posted December 4, 2008 I was under pressure to return my friends PC so I was unable to keep it any longer. KAV and SAS together finally killed the infection. I sent what samples I could though. Sorry I can't do more Share this post Link to post Share on other sites
beatricebythesea Posted December 4, 2008 I'm having the same problem! Every day I run SAS and it removes 14 threats (vundo variants and a fake trojan alert), but they regenerate quickly. I've tried all the "vundo removal tools" online and nothing seems to work permanently. There must be some hidden file that is regenerating. FYI, I've been scanning with the most recent updates each day. My daily routine is to run the manual update and then scan. Seriously, don't people who create malware have better things to do with their time? Share this post Link to post Share on other sites
beatricebythesea Posted December 4, 2008 KAV and SAS together finally killed the infection. What is KAV? How did you use KAV and SAS together? Thanks!! Share this post Link to post Share on other sites
EliteKiller Posted December 4, 2008 KAV and SAS together finally killed the infection. What is KAV? How did you use KAV and SAS together? Thanks!! http://www.kaspersky.com/ SAS coexists with KAV and other antivirus software. Share this post Link to post Share on other sites
denzilla Posted December 4, 2008 Install Kaspersky AV 2009 update it, disconnect the PC from the net and run a full scan. Run SAS after KAV has done its thing to cleanup the remaining mess. If you have the time however, you may want to take the opportunity to work with SAS team to help them get info on this infection since I was unable to. Share this post Link to post Share on other sites