vdoubxd.dll - Trojan? Virus? - Microsoft Usenet

View Full Version : vdoubxd.dll - Trojan? Virus?

BJ Safdie

On my Win2K Server machine I found an entry in my registry
at:
HK_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run and RunOnce

which reads:

Key:
vdoubxd

Value:
rundll32 C:\WINNT\system32:vdoubxd.dll,Init 1

I "Googled" vdoubxd and came up with nothing.
Symantec Security Response came up with nothing.
The McAfee site had nothing.

If I delete the registry entries, they come back. There
is no vdoubxd.dll in my C:\WINNT\system32 directory.
Also, I am unfamiliar with the ...system32:vdoubxd.dll...
use of a colon. I also looked for the possibility of file
in WINNT named system32:vdoubxd.dll.

Anyone know what the heck this thing is and how (if it is
a bad thing) to get rid of it?

Any Help Appreciated,
BJ Safdie

Jerry Heidtke

BJ Safdie wrote:
> On my Win2K Server machine I found an entry in my registry
> at:
> HK_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
> Run and RunOnce
>
> which reads:
>
> Key:
> vdoubxd
>
> Value:
> rundll32 C:\WINNT\system32:vdoubxd.dll,Init 1
>
> I "Googled" vdoubxd and came up with nothing.
> Symantec Security Response came up with nothing.
> The McAfee site had nothing.
>
> If I delete the registry entries, they come back. There
> is no vdoubxd.dll in my C:\WINNT\system32 directory.
> Also, I am unfamiliar with the ...system32:vdoubxd.dll...
> use of a colon. I also looked for the possibility of file
> in WINNT named system32:vdoubxd.dll.
>
> Anyone know what the heck this thing is and how (if it is
> a bad thing) to get rid of it?
>
> Any Help Appreciated,
> BJ Safdie

Probably the Coreflood trojan. It's stored in an "Alternate Data Stream"
(ADS). See http://www.sophos.com/virusinfo/analyses/trojcoreflooc.html
for a description, download
http://www.sophos.com/support/cleaners/corfcgui.com to get rid of it.

Your system may have been further compromised. You should do a thorough
investigation. Rebuilding from scratch should be seriously considered.

BJ Safdie

Many Thanks.

>-----Original Message-----
>BJ Safdie wrote:
>> On my Win2K Server machine I found an entry in my
registry
>> at:
>>
HK_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
>> Run and RunOnce
>>
>> which reads:
>>
>> Key:
>> vdoubxd
>>
>> Value:
>> rundll32 C:\WINNT\system32:vdoubxd.dll,Init 1
>>
>> I "Googled" vdoubxd and came up with nothing.
>> Symantec Security Response came up with nothing.
>> The McAfee site had nothing.
>>
>> If I delete the registry entries, they come back.
There
>> is no vdoubxd.dll in my C:\WINNT\system32 directory.
>> Also, I am unfamiliar with
the ...system32:vdoubxd.dll...
>> use of a colon. I also looked for the possibility of
file
>> in WINNT named system32:vdoubxd.dll.
>>
>> Anyone know what the heck this thing is and how (if it
is
>> a bad thing) to get rid of it?
>>
>> Any Help Appreciated,
>> BJ Safdie
>
>
>Probably the Coreflood trojan. It's stored in
an "Alternate Data Stream"
>(ADS). See
http://www.sophos.com/virusinfo/analyses/trojcoreflooc.html

>for a description, download
>http://www.sophos.com/support/cleaners/corfcgui.com to
get rid of it.
>
>Your system may have been further compromised. You should
do a thorough
>investigation. Rebuilding from scratch should be
seriously considered.
>.