sunbelt, block -> type code injection

David H. Lipman · 05-17-2007, 09:02 PM

From: "look at us we're beautiful" <brryprrsh@yahoo.com>

|
| I should mention there are no other files I suspect of being bad...
|
| possibly one more beyond the wvuuutu.dll, but maybe not
|
| I did get rid of about 5, that SEC.TaskManager showed me.
|
| aaaand yet another intrusion blocked by sunbelt!
| this blocking seems to be keeping the popups at bay
|
| sunbelt works off of some self serving loopback, all things done must
| pass through this loop... far as I can tell...
|
| I believe I have deleted the *.exe that created wvuuutu.dll

It is either a Vundo Trojan or a Conhook/Klone Trojan.
By it name, I'll take a guess that it is a Vundo Trojan.

If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are numerous vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0 update 1 (jre 6u1)

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0_01

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/docum...=1-26-102557-1
http://sunsolve.sun.com/search/docum...=1-26-102622-1
http://sunsolve.sun.com/search/docum...=1-26-102648-1
http://sunsolve.sun.com/search/docum...=1-26-102729-1
http://sunsolve.sun.com/search/docum...=1-26-102732-1
http://sunsolve.sun.com/search/docum...=1-26-102760-1

Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

look at us we're beautiful · 05-17-2007, 09:23 PM

On May 17, 10:02 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:

> * * * Please report back your results * * *
>
> --
>
aight then, be back in a few

look at us we're beautiful · 05-17-2007, 09:45 PM

On May 17, 10:02 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:

> Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.

it's still scanning, so far it's found two, one is dll, the other is
ini

cool deal.. so this might get rid of what I stepped in eh...
I hope so

my java happened to be the latest greatest, thanks for the sun links,
and the others.

i've got alot installed, I guess I should go make something to eat,
and let this thing scan.

look at us we're beautiful · 05-17-2007, 10:01 PM

On May 17, 10:02 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
FIX.EXEhttp://www.atribune.org/ccount/click.php?id=4
>
> Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.

ok all done, vunofix just rebooted, im back..

it found about 6 others, Im still getting the sunbelt intrusion
message...
I see wvuuutu.dll is still running

I am getting various intrusion alerts from sunbelt firewall

I smell more spy stuff for sure. I've used this firewall before...
these are not normal messages.

now windows says.. "can't find the specified path" no matter what I
try to run...

interesting...

lemme post this incase things get worse...

look at us we're beautiful · 05-17-2007, 10:05 PM

On May 17, 10:02 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "look at us we're beautiful" <brrypr...@yahoo.com>
>
> |
> | I should mention there are no other files I suspect of being bad...
> |
> | possibly one more beyond the wvuuutu.dll, but maybe not
> |
> | I did get rid of about 5, that SEC.TaskManager showed me.
> |
> | aaaand yet another intrusion blocked by sunbelt!
> | this blocking seems to be keeping the popups at bay
> |
> | sunbelt works off of some self serving loopback, all things done must
> | pass through this loop... far as I can tell...
> |
> | I believe I have deleted the *.exe that created wvuuutu.dll
>
> It is either a Vundo Trojan or a Conhook/Klone Trojan.
> By it name, I'll take a guess that it is a Vundo Trojan.

ok, never mind, I had my firewall too tight.
i killed the firewall, then could run other exes...

BUT!!!! without warning, my taskbar went away..

well.. Im going to tinker with it...

lol, this is first period of problems since this install

when it rains it pours

look at us we're beautiful · 05-18-2007, 12:47 AM

On May 17, 10:02 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "look at us we're beautiful" <brrypr...@yahoo.com>
>
> |
> | I should mention there are no other files I suspect of being bad...
> |
> | possibly one more beyond the wvuuutu.dll, but maybe not
> |
> | I did get rid of about 5, that SEC.TaskManager showed me.
> |
> | aaaand yet another intrusion blocked by sunbelt!
> | this blocking seems to be keeping the popups at bay
> |
> | sunbelt works off of some self serving loopback, all things done must
> | pass through this loop... far as I can tell...
> |
> | I believe I have deleted the *.exe that created wvuuutu.dll
>
> It is either a Vundo Trojan or a Conhook/Klone Trojan.
> By it name, I'll take a guess that it is a Vundo Trojan.
>
> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.
> There are numerous vulnerabilities in them and they are actively being exploited.
>
> It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
> Version 6.0 update 1 (jre 6u1)
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.6.0_01
>
> http://java.sun.com/javase/downloads...oad/manual.jsp
>
> FYI:http://sunsolve.sun.com/search/docum...=1-26-102760-1
>
> Download Atribune's VUNDOFIX.EXEhttp://www.atribune.org/ccount/click.php?id=4
>
> Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.
>
> * * * Please report back your results * * *
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

wvuuutu.dll
it got rid of everything but that, vundo thingy did good job, I ran it
twice it found different set each time, but led to believe it did not
know which was host file

only site on the web that lists wvuuutu.dll is for product called
Prevx1

installing it now... we'll see

David H. Lipman · 05-18-2007, 05:54 AM

From: "look at us we're beautiful" <brryprrsh@yahoo.com>

| wvuuutu.dll
| it got rid of everything but that, vundo thingy did good job, I ran it
| twice it found different set each time, but led to believe it did not
| know which was host file

| only site on the web that lists wvuuutu.dll is for product called
| Prevx1

| installing it now... we'll see

Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

look at us we're beautiful · 05-18-2007, 06:12 AM

On May 18, 6:54 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "look at us we're beautiful" <brrypr...@yahoo.com>
>
> | wvuuutu.dll
> | it got rid of everything but that, vundo thingy did good job, I ran it
> | twice it found different set each time, but led to believe it did not
> | know which was host file
>
> | only site on the web that lists wvuuutu.dll is for product called
> | Prevx1
>
> | installing it now... we'll see
>
> Download and execute HiJack This! (HJT)http://www.spywareinfo.com/~merijn/files/HijackThis.exe

yeah, I see what you mean about posting log at other site

thing is, I feel I know the problem

it's wvuuutu.dll

granted, that file may not be the initiating problem.
that file has a description of "monitors when programs startup"

I also get, "taskman" or "defgrag" is trying to connect to internet...

I know how to get rid of wvuuutu.dll, I could boot in dos I guess...
only thing, this machine doesn't have a 3.5 floppy, I could doctor up
a CD to boot me to dos, but I broke my burner.

You didn't need to hear all that.

at this point, Im looking for a way to del that file, I feel it is my
problem.

the program you told me to run form the c:\ did good. it found about
12-14 files and zapped them, althought I suspect the ones it did find
were just remnants and would have simply sat there with no
coordinator, nothing to instruct them

I appreciate your help.

know any way to delete a file while windows is using it?
I already know I can't move or rename this file.

AND it is ONLY attatched to winlogin.exe

look at us we're beautiful · 05-18-2007, 06:59 AM

On May 18, 6:54 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:

\---Quarantine
+---C
| +---Program Files
| | \---Common Files
| | Yazzle1162OinAdmin.exe.vir
| | Yazzle1162OinUninstaller.exe.vir
| |
| \---WINDOWS
| | svchost.exe.vir
| |
| \---system32
| qcvctcct.dll.vir
| sstts.dll.vir
| sttss.bak1.vir
| sttss.ini.vir
| twmemhkx.ini.vir
| wvuuutu.dll.vir
| xkhmemwt.dll.vir

check it out, I think your combofix got it
I see wvuuutu in the quarantine list

(not to mention all the others)

Thanks again David

This particular installation of XP was pretty substantial, I mean, I
have vested a lot of work into it, and you have saved me many hours.

Barry

ps, I do see a donation button the one tool thingy

Thread: sunbelt, block -> type code injection

Thread Tools

Display

Hybrid View

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Re: sunbelt, block -> type code injection

Thread Information

Users Browsing this Thread

Posting Permissions