 Infected with Malware.Trace and Trojan.Vundo, Do not know how to remove them |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site. Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
 Jan 12 2009, 05:39 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 6 Joined: 12-January 09 Member No.: 281,525  |
Hello,
I was working on my XP installed Dell laptop a week ago - when all of a sudden I got hit with pop-ups and a security alert. Computer stopped working properly right after - and the next day I took it to my computer guy. He was not very knowledgeable and appears to have installed CyberDefender - he said he was able to clean it - but later when he connected it back to the internet the spyware instantly popped right back up. I took the machine off his hands went home and turned off the wireless card/via the switch and started reading up on Vundo before I found this great website. Using my Mac, I downloaded and installed via CD-Rom both SuperAntiSpy and MalwareBytes (in regular and safe mode) - which both got rid of most viruses - but when I restarted both Vundo and Trace came right back every time I ran a scan and their logs showed that I cleaned it up - so I am concerned that these bugs keep regenerating and I am afraid that they will grow worse if I reconnect my laptop to the internet. I am not very savvy but I read that turning off the restore point was essential to cleaning vundo out so I turned that off during my latest cleaning - and it didn't seem to work. Also I have turned on the firewall as recommended in the posting guide. Would kindly appreciate any experienced thoughts on how to get these last two Vundo and Trace bugs out of my system. Thanks! Posting requested DDS log below: DDS (Ver_09-01-07.01) - NTFSx86 Run by Teymy.Bahmani at 2:05:05.56 on Mon 01/12/2009 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1572 [GMT -8:00] AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe C:\WINDOWS\system32\StacSV.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\stsystra.exe C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\igfxpers.exe C:\WINDOWS\System32\igfxsrvc.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\teymy.bahmani\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://my.thomson.com/ uWindow Title = Microsoft Internet Explorer provided by The Thomson Corporation uInternet Connection Wizard,ShellNext = hxxp://my.thomson.com/ uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = webproxy.int.westgroup.com:80 BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: NoExplorer - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [RMC] c:\program files\reuters\rmc\rmc.exe uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe" uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRun: [iPCCheck] "c:\program files\ipass\ipassconnect\downloader\ipccheck.exe" /startup mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [CyberDefender Early Detection Center] "c:\program files\cyberdefender\antispyware\ISSIntro.exe" mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: ckpNotify - ckpNotify.dll Notify: igfxcui - igfxdev.dll Notify: PCANotify - PCANotify.dll AppInit_DLLs: nnhbxn.dll ykazlb.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-24 2234800] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408] R3 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 110032] R4 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36368] R4 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [2007-10-3 15793] R4 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2003-7-18 205328] R4 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2003-7-18 36368] R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-24 673456] S3 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2007-5-11 132728] S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-1-5 67424] S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\drivers\el574nd4.sys --> c:\windows\system32\drivers\el574nd4.sys [?] S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232] =============== Created Last 30 ================ 2009-01-07 05:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-01-07 04:59 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-01-07 04:59 <DIR> --d----- c:\docume~1\teymy~2.bah\applic~1\SUPERAntiSpyware.com 2009-01-07 04:20 <DIR> --d----- c:\docume~1\teymy~2.bah\applic~1\Malwarebytes 2009-01-07 00:33 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-01-07 00:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-07 00:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-01-07 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-01-06 23:53 <DIR> --d----- c:\program files\Yahoo! 2009-01-06 23:53 <DIR> --d----- c:\program files\CCleaner 2009-01-06 13:10 172,032 a------- c:\windows\system32\igfxres.dll 2009-01-06 11:05 <DIR> --d----- c:\windows\system32\CatRoot_bak 2009-01-06 10:52 101,376 ac------ c:\windows\system32\dllcache\srusbusd.dll 2009-01-06 10:51 1,158,818 ac------ c:\windows\system32\dllcache\korwbrkr.lex 2009-01-06 10:50 57,399 ac------ c:\windows\system32\dllcache\cplexe.exe 2009-01-06 10:49 68,608 ac------ c:\windows\system32\dllcache\iisext51.dll 2009-01-06 10:44 488 a---hr-- c:\windows\system32\logonui.exe.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\WindowsShell.Manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\sapi.cpl.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\nwc.cpl.manifest 2009-01-06 10:44 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest 2009-01-06 10:43 16,384 ac------ c:\windows\system32\dllcache\isignup.exe 2009-01-06 10:42 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll 2009-01-06 10:30 10,559 a----r-- c:\windows\SET99.tmp 2009-01-06 10:30 22,339 a----r-- c:\windows\SET97.tmp 2009-01-06 10:30 13,753 a----r-- c:\windows\SET5B.tmp 2009-01-06 10:30 1,086,058 a----r-- c:\windows\SET4F.tmp 2009-01-06 10:30 1,042,903 a----r-- c:\windows\SET4C.tmp 2009-01-06 10:16 22,339 a----r-- c:\windows\SET95.tmp 2009-01-06 10:16 10,559 a----r-- c:\windows\SET96.tmp 2009-01-06 10:16 13,753 a----r-- c:\windows\SET5A.tmp 2009-01-06 10:16 1,086,058 a----r-- c:\windows\SET4E.tmp 2009-01-06 10:16 1,042,903 a----r-- c:\windows\SET4B.tmp 2009-01-06 09:57 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll 2009-01-06 09:57 13,312 ac------ c:\windows\system32\dllcache\irclass.dll 2009-01-06 09:57 24,661 a------- c:\windows\system32\spxcoins.dll 2009-01-06 09:57 13,312 a------- c:\windows\system32\irclass.dll 2009-01-06 09:09 137,728 a------- c:\windows\system32\ykazlb.dll 2009-01-06 09:09 137,728 a------- c:\windows\system32\ucmnlofj.dll 2009-01-06 08:19 24 a------- c:\windows\pccntmon.INI 2009-01-06 01:45 <DIR> --d----- c:\windows\dell 2009-01-05 23:17 <DIR> --dsh--- C:\found.000 2009-01-05 14:45 43 a------- c:\windows\av_affiliate.ini 2009-01-05 14:45 43 a------- c:\windows\as_affiliate.ini 2009-01-05 14:39 67,424 a------- c:\windows\system32\drivers\CDAVFS.sys 2009-01-05 14:39 <DIR> --d----- c:\program files\CyberDefender 2009-01-05 00:58 1,307,356 ---sh--- c:\windows\system32\mgnvqpnl.ini 2009-01-05 00:56 133,632 a------- c:\windows\system32\nnhbxn.dll 2009-01-05 00:56 133,632 a------- c:\windows\system32\ncumlphc.dll ==================== Find3M ==================== 2009-01-08 17:47 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-01-06 10:41 22,720 a------- c:\windows\system32\emptyregdb.dat 2008-12-12 14:56 65,744 a---h--- c:\windows\system32\mlfcache.dat 2008-12-12 14:47 410,984 a------- c:\windows\system32\deploytk.dll 2008-12-12 10:21 75,350 a------- c:\windows\system32\z98.bin 2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll 2008-01-30 12:09 651,348 a------- c:\program files\cltracker.zip ============= FINISH: 2:05:52.98 ===============
Attached File(s)
|
 |
 
|
Posts in this topic
BobsBigBoy Infected with Malware.Trace and Trojan.Vundo Jan 12 2009, 05:39 AM
Thunder Hello BobsBigBoy,
Please read [b]this tutorial ca... Jan 22 2009, 05:25 PM BobsBigBoy Thunder,
Thanks for your reply.
Before I run Com... Jan 22 2009, 06:53 PM Thunder Hello BobsBigBoy,
Yes, please run ComboFix,
it wi... Jan 23 2009, 05:16 AM BobsBigBoy will do . Jan 25 2009, 04:28 AM Thunder Fine, BobsBigBoy,
I'll await your log.
Greet... Jan 25 2009, 06:39 AM BobsBigBoy OK THUNDER - here is the ComboFix log.
One note -... Jan 28 2009, 12:18 AM Thunder Hello BobsBigBoy,
Your log looks quite good now. ... Jan 28 2009, 08:49 AM BobsBigBoy Dude - thanks so much for helping me.
I know I... Jan 28 2009, 11:40 AM
Thunder Glad we could help, BobsBigBoy :wink:
Please r... Jan 28 2009, 04:29 PM  |
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 24th November 2009 - 04:19 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.