Infected by Mal

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Infected by Mal_Vundo-5

#1 GA_crazy_shamz

Member

Group: Members
Posts: 47
Joined: 26-January 08

Posted 27 October 2008 - 10:21 AM

hey,

Trend Micro keeps telling me that my computer is infected by Mal_Vundo-5.

I have a free antivirus on my computer (Avira AntiVir Personal) which I used a few weeks ago and it deleted 200-300 viruses. I scanned it today and here are the results:

Avira AntiVir Personal
Report file date: Monday, October 27, 2008 14:51

Scanning for 1707541 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: Aziz
Computer name: MUBSTU398

Version information:
BUILD.DAT : 8.2.0.334 16933 Bytes 16/10/2008 14:55:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 07:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 06:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 11:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 06:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 09:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 12:54:15
ANTIVIR2.VDF : 7.0.7.59 4366336 Bytes 19/10/2008 22:22:13
ANTIVIR3.VDF : 7.0.7.92 192000 Bytes 25/10/2008 15:34:20
Engineversion : 8.2.0.9
AEVDF.DLL : 8.1.0.6 102772 Bytes 16/10/2008 07:05:54
AESCRIPT.DLL : 8.1.1.9 319867 Bytes 17/10/2008 22:23:17
AESCN.DLL : 8.1.1.3 123252 Bytes 16/10/2008 07:05:42
AERDL.DLL : 8.1.1.2 438644 Bytes 16/10/2008 07:05:39
AEPACK.DLL : 8.1.2.4 369014 Bytes 16/10/2008 07:05:36
AEOFFICE.DLL : 8.1.0.29 196988 Bytes 24/10/2008 07:28:07
AEHEUR.DLL : 8.1.0.63 1479032 Bytes 24/10/2008 07:28:05
AEHELP.DLL : 8.1.1.2 115062 Bytes 16/10/2008 07:05:20
AEGEN.DLL : 8.1.0.42 319861 Bytes 25/10/2008 07:28:12
AEEMU.DLL : 8.1.0.9 393588 Bytes 16/10/2008 07:05:16
AECORE.DLL : 8.1.2.8 172406 Bytes 25/10/2008 07:27:58
AEBB.DLL : 8.1.0.3 53618 Bytes 16/10/2008 07:05:10
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 07:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 08:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 16/10/2008 07:05:09
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 10:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 07:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 11:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 16:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 11:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 11:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 12:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 12:34:37

Configuration settings for the scan:
Jobname..........................: Manual Selection
Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, October 27, 2008 14:51

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'msn_sl.exe' - '1' Module(s) have been scanned
Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'POWERPNT.EXE' - '1' Module(s) have been scanned
Scan process 'TosBtProc.exe' - '1' Module(s) have been scanned
Scan process 'TosOBEX.exe' - '1' Module(s) have been scanned
Scan process 'WISPTIS.EXE' - '1' Module(s) have been scanned
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'TosBtHSP.exe' - '1' Module(s) have been scanned
Scan process 'TosBtHid.exe' - '1' Module(s) have been scanned
Scan process 'TosA2dp.exe' - '1' Module(s) have been scanned
Scan process 'qlock.exe' - '1' Module(s) have been scanned
Scan process 'GPopAccount.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'TosBtMng.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'netwaiting.exe' - '1' Module(s) have been scanned
Scan process 'cac.exe' - '1' Module(s) have been scanned
Scan process 'VCDDaemon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'PccNTMon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'hidfind.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
Scan process 'CNTAoSMgr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'TmPfw.exe' - '1' Module(s) have been scanned
Scan process 'PLCFEE.EXE' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'TmListen.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'NTRtScan.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
72 processes with 72 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '78' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Student\Local Settings\Temporary Internet Files\Content.IE5\NP0BPXI9\swflash[1].cab
[0] Archive type: CAB (Microsoft)
--> FP_AX_CAB_INSTALLER.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\system32\dpvwfz.dll
[WARNING] The file could not be opened!
C:\WINDOWS\system32\TmEncryptTemp.001
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.001
[DETECTION] Is the TR/Agent.agru Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\TmEncryptTemp.002
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.002
[DETECTION] Is the TR/Agent.agru Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\TmEncryptTemp.003
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.003
[DETECTION] Is the TR/Agent.agru Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\TmEncryptTemp.004
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.004
[DETECTION] Is the TR/Agent.agru Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\TmEncryptTemp.005
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.005
[DETECTION] Is the TR/Agent.agru Trojan
[NOTE] The file was deleted!
Begin scan in 'D:\' <VAVOLUME4REVISION>
Begin scan in 'E:\' <Bear>

End of the scan: Monday, October 27, 2008 15:36
Used time: 45:20 Minute(s)

The scan has been done completely.

6929 Scanning directories
216910 Files were scanned
5 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
5 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
216902 Files not concerned
3210 Archives were scanned
4 Warnings
5 Notes

Online Kaspersky scan froze on me at 74% but it showed 9 infections.

#2 Maniac

Member

Group: Members
Posts: 95
Joined: 29-May 08
Gender:Male
Location:Bulgaria

Posted 27 October 2008 - 10:25 AM

Hi!

Scan with MalwareBytes' Anti-Malware:

Quote

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Then, submit log file ESET SysInspector, to see what the situation.

Quote

Download ESET SysInspector
http://www.eset.com/download/sysinspector.php

- Start program through the SysInspector.exe
The program will collect information about the situation on your machine.
- When "inspector" is ready and log file - generated, select File> Save Log
- Confirm their wish

Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link.

#3 GA_crazy_shamz

Member

Group: Members
Posts: 47
Joined: 26-January 08

Posted 27 October 2008 - 12:29 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1328
Windows 5.1.2600 Service Pack 2

10/27/2008 7:47:27 PM
mbam-log-2008-10-27 (19-47-27).txt

Scan type: Quick Scan
Objects scanned: 68209
Time elapsed: 10 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dpvwfz.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{357641e0-8c2c-488c-9df3-158213054863} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{357641e0-8c2c-488c-9df3-158213054863} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7d95769-f00f-4b50-a2e8-7a71673582eb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c7d95769-f00f-4b50-a2e8-7a71673582eb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{357641e0-8c2c-488c-9df3-158213054863} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("C:\Program Files\Internet Explorer\Iexplore.exe" %1) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netrax01 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\dpvwfz.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Student\Local Settings\Temporary Internet Files\Content.IE5\678EHWEV\3077ahntdksr[1].dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGVOeFv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6b889675.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6b889675.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Student\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe (Trojan.Agent) -> Quarantined and deleted successfully.

http://4storing.com/xvb1y/e8a8f73e0e183e83...55e2414cbc.html