Infected by Mal

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Am I infected? What do I do?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Infected by Mal_Vundo-5

Options

GA_crazy_shamz View Member Profile	Oct 27 2008, 10:21 AM Post #1
Member Group: Members Posts: 38 Joined: 26-January 08 Member No.: 186,299	hey, Trend Micro keeps telling me that my computer is infected by Mal_Vundo-5. I have a free antivirus on my computer (Avira AntiVir Personal) which I used a few weeks ago and it deleted 200-300 viruses. I scanned it today and here are the results: Avira AntiVir Personal Report file date: Monday, October 27, 2008 14:51 Scanning for 1707541 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: Aziz Computer name: MUBSTU398 Version information: BUILD.DAT : 8.2.0.334 16933 Bytes 16/10/2008 14:55:00 AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 07:57:53 AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 06:56:40 LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 11:44:19 LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 06:58:52 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 09:33:34 ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 12:54:15 ANTIVIR2.VDF : 7.0.7.59 4366336 Bytes 19/10/2008 22:22:13 ANTIVIR3.VDF : 7.0.7.92 192000 Bytes 25/10/2008 15:34:20 Engineversion : 8.2.0.9 AEVDF.DLL : 8.1.0.6 102772 Bytes 16/10/2008 07:05:54 AESCRIPT.DLL : 8.1.1.9 319867 Bytes 17/10/2008 22:23:17 AESCN.DLL : 8.1.1.3 123252 Bytes 16/10/2008 07:05:42 AERDL.DLL : 8.1.1.2 438644 Bytes 16/10/2008 07:05:39 AEPACK.DLL : 8.1.2.4 369014 Bytes 16/10/2008 07:05:36 AEOFFICE.DLL : 8.1.0.29 196988 Bytes 24/10/2008 07:28:07 AEHEUR.DLL : 8.1.0.63 1479032 Bytes 24/10/2008 07:28:05 AEHELP.DLL : 8.1.1.2 115062 Bytes 16/10/2008 07:05:20 AEGEN.DLL : 8.1.0.42 319861 Bytes 25/10/2008 07:28:12 AEEMU.DLL : 8.1.0.9 393588 Bytes 16/10/2008 07:05:16 AECORE.DLL : 8.1.2.8 172406 Bytes 25/10/2008 07:27:58 AEBB.DLL : 8.1.0.3 53618 Bytes 16/10/2008 07:05:10 AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 07:40:05 AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 08:28:01 AVREP.DLL : 8.0.0.2 98344 Bytes 16/10/2008 07:05:09 AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 10:26:40 AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 07:29:23 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 11:27:49 SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 16:28:02 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 11:49:40 NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 11:05:10 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 12:48:07 RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 12:34:37 Configuration settings for the scan: Jobname..........................: Manual Selection Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\folder.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, D:, E:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Monday, October 27, 2008 14:51 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'msn_sl.exe' - '1' Module(s) have been scanned Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'POWERPNT.EXE' - '1' Module(s) have been scanned Scan process 'TosBtProc.exe' - '1' Module(s) have been scanned Scan process 'TosOBEX.exe' - '1' Module(s) have been scanned Scan process 'WISPTIS.EXE' - '1' Module(s) have been scanned Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned Scan process 'TosBtHSP.exe' - '1' Module(s) have been scanned Scan process 'TosBtHid.exe' - '1' Module(s) have been scanned Scan process 'TosA2dp.exe' - '1' Module(s) have been scanned Scan process 'qlock.exe' - '1' Module(s) have been scanned Scan process 'GPopAccount.exe' - '1' Module(s) have been scanned Scan process 'DLG.exe' - '1' Module(s) have been scanned Scan process 'TosBtMng.exe' - '1' Module(s) have been scanned Scan process 'acrotray.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned Scan process 'netwaiting.exe' - '1' Module(s) have been scanned Scan process 'cac.exe' - '1' Module(s) have been scanned Scan process 'VCDDaemon.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'PccNTMon.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned Scan process 'ApntEx.exe' - '1' Module(s) have been scanned Scan process 'hidfind.exe' - '1' Module(s) have been scanned Scan process 'issch.exe' - '1' Module(s) have been scanned Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned Scan process 'quickset.exe' - '1' Module(s) have been scanned Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned Scan process 'stsystra.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'igfxpers.exe' - '1' Module(s) have been scanned Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned Scan process 'hkcmd.exe' - '1' Module(s) have been scanned Scan process 'Apoint.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'usnsvc.exe' - '1' Module(s) have been scanned Scan process 'CNTAoSMgr.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'TmPfw.exe' - '1' Module(s) have been scanned Scan process 'PLCFEE.EXE' - '1' Module(s) have been scanned Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned Scan process 'TmListen.exe' - '1' Module(s) have been scanned Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned Scan process 'NTRtScan.exe' - '1' Module(s) have been scanned Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned Scan process 'EvtEng.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 72 processes with 72 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '78' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\Student\Local Settings\Temporary Internet Files\Content.IE5\NP0BPXI9\swflash[1].cab [0] Archive type: CAB (Microsoft) --> FP_AX_CAB_INSTALLER.exe [WARNING] No further files can be extracted from this archive. The archive will be closed C:\WINDOWS\system32\dpvwfz.dll [WARNING] The file could not be opened! C:\WINDOWS\system32\TmEncryptTemp.001 [0] Archive type: HIDDEN --> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.001 [DETECTION] Is the TR/Agent.agru Trojan [NOTE] The file was deleted! C:\WINDOWS\system32\TmEncryptTemp.002 [0] Archive type: HIDDEN --> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.002 [DETECTION] Is the TR/Agent.agru Trojan [NOTE] The file was deleted! C:\WINDOWS\system32\TmEncryptTemp.003 [0] Archive type: HIDDEN --> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.003 [DETECTION] Is the TR/Agent.agru Trojan [NOTE] The file was deleted! C:\WINDOWS\system32\TmEncryptTemp.004 [0] Archive type: HIDDEN --> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.004 [DETECTION] Is the TR/Agent.agru Trojan [NOTE] The file was deleted! C:\WINDOWS\system32\TmEncryptTemp.005 [0] Archive type: HIDDEN --> FIL\\\?\C:\WINDOWS\system32\TmEncryptTemp.005 [DETECTION] Is the TR/Agent.agru Trojan [NOTE] The file was deleted! Begin scan in 'D:\' <VAVOLUME4REVISION> Begin scan in 'E:\' <Bear> End of the scan: Monday, October 27, 2008 15:36 Used time: 45:20 Minute(s) The scan has been done completely. 6929 Scanning directories 216910 Files were scanned 5 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 5 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 3 Files cannot be scanned 216902 Files not concerned 3210 Archives were scanned 4 Warnings 5 Notes Online Kaspersky scan froze on me at 74% but it showed 9 infections.

nod32fen View Member Profile	Oct 27 2008, 10:25 AM Post #2
Member Group: Members Posts: 95 Joined: 29-May 08 From: Bulgaria Member No.: 212,645	Hi! Scan with MalwareBytes' Anti-Malware: QUOTE Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2 Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Then, submit log file ESET SysInspector, to see what the situation. QUOTE Download ESET SysInspector http://www.eset.com/download/sysinspector.php - Start program through the SysInspector.exe The program will collect information about the situation on your machine. - When "inspector" is ready and log file - generated, select File> Save Log - Confirm their wish Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link. --------------------

GA_crazy_shamz View Member Profile	Oct 27 2008, 12:29 PM Post #3
Member Group: Members Posts: 38 Joined: 26-January 08 Member No.: 186,299	Malwarebytes' Anti-Malware 1.30 Database version: 1328 Windows 5.1.2600 Service Pack 2 10/27/2008 7:47:27 PM mbam-log-2008-10-27 (19-47-27).txt Scan type: Quick Scan Objects scanned: 68209 Time elapsed: 10 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 19 Registry Values Infected: 5 Registry Data Items Infected: 1 Folders Infected: 2 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\dpvwfz.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{357641e0-8c2c-488c-9df3-158213054863} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{357641e0-8c2c-488c-9df3-158213054863} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7d95769-f00f-4b50-a2e8-7a71673582eb} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c7d95769-f00f-4b50-a2e8-7a71673582eb} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{357641e0-8c2c-488c-9df3-158213054863} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{13f20e4f-f379-41ea-8f80-ccaae787362a} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("C:\Program Files\Internet Explorer\Iexplore.exe" %1) Good: ("%1" /S) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully. C:\WINDOWS\system32\netrax01 (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\dpvwfz.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Documents and Settings\Student\Local Settings\Temporary Internet Files\Content.IE5\678EHWEV\3077ahntdksr[1].dll (Trojan.BHO.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hgGVOeFv.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BM6b889675.xml (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BM6b889675.txt (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Student\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe (Trojan.Agent) -> Quarantined and deleted successfully. http://4storing.com/xvb1y/e8a8f73e0e183e83...55e2414cbc.html

GA_crazy_shamz View Member Profile	Oct 31 2008, 12:36 PM Post #4
Member Group: Members Posts: 38 Joined: 26-January 08 Member No.: 186,299	so wht is the verdict? is my laptop clean?

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 12:29 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides