Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Torjan Vondu, Trojan32.conhook.d And Who Knows What Else.


  • Please log in to reply
12 replies to this topic

#1 mallie

mallie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:08:20 AM

Posted 01 October 2008 - 12:31 PM

Hi guys, I know you all are really busy, so I thank you in advance for helping me.

I am infected with 2 trojans that I know of, maybe more. Tojan Vondu, which Norton said it got and removed (not sure if it's gone) and Trojan32.Conhook.D, which Windows Defender said it got a removed twice. Once on September 30th and one today, October 1.

I am posting here first, because I am really not sure what to do next. I am not totally computer illiterate, but some things I may need help with. Here is my scenerio, will make it as short as I can.

Sept 28 was surfing, hit a website, cannot tell you what it was, and my Norton IS went nuts. I had a feeling then I was in trouble. Then the pop-ups started.

I am running or ran WinXP Pro, Sp2 (SP2 came on the comp), Adware 2008 V7.1.02, BitDefender online scanner, Windows Defender (current update), I have Norton 2008 Internet Security, I run FireFox as my main browser (I avoid IE as much as possible) and firewall is included with Norton, ran Fixvundo.exe from Symantec (which indicated the machine was not infected with?????).

From the Welcome Guiade on the forum I tried to use the things listed to help with this. I have logs, some I am not sure where the heck some are located. My question first, before I do anything else is will the McAfee Avert Stinger mess with my Norton and is Spybot necessary with the other programs I have already scanned with? They are the only 2 things I have not done yet other than DL Hijackthis, which I don't want to do until last.

Please be patient with me, I have a headache the size of Texas, my patience with this trojan is running low, and I am frustrated after 2 days of scanning, rebooting, downloading this program, that progam. Getting to the point that I am not sure what the heck I even did anymore. I am afaid to update anything because I am not sure if it is legit or the trojans messing with me. Everytime I think I got these things, they are back and trying to work around these pop-ups isn't bloody easy.

Please advise on the McAfee and Spybot and what to do next.
thanks
mallie


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:20 AM

Posted 01 October 2008 - 01:06 PM

Welcome..let's first see a log from MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mallie

mallie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:08:20 AM

Posted 01 October 2008 - 01:16 PM

OK I can do that. I also have the log from Bitdefender let me know if you would like that one also. rebooting now.....

Edited by mallie, 01 October 2008 - 01:32 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:20 AM

Posted 01 October 2008 - 01:32 PM

Yes post it here
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mallie

mallie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:08:20 AM

Posted 01 October 2008 - 01:39 PM

ok boopme, here is the malwarebyte log: I did reboot!

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

10/1/2008 2:29:50 PM
mbam-log-2008-10-01 (14-29-50).txt

Scan type: Quick Scan
Objects scanned: 49496
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awttrrst.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jfhxdxam.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tvstop.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fhgpvj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vtUmMEXP.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qmcmdhwr.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtummexp (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8d4b9547-e8b3-4991-9f7d-7adaa0ed0d76} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8d4b9547-e8b3-4991-9f7d-7adaa0ed0d76} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b643ab72-2796-4d80-bd3f-7fc7cf580fe7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b643ab72-2796-4d80-bd3f-7fc7cf580fe7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4483add3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm47b09e4f (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awttrrst -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awttrrst -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\b02FdUe (Malware.Folder) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\vtUmMEXP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awttrrst.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tsrrttwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tsrrttwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tvstop.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hniyrhyr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ryhryinh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jfhxdxam.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\maxdxhfj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhgpvj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qmcmdhwr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vapeardi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\lam\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\lam\Local Settings\Temporary Internet Files\Content.IE5\Z56HHSV9\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgqsnfqr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM47b09e4f.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM47b09e4f.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\retadpu2000219.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I got an error on reboot: Error Loading C: Windows\System32\dgqsnfqr.dll. The specified module could not be found.

Edited by mallie, 01 October 2008 - 01:46 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:20 AM

Posted 01 October 2008 - 01:55 PM

OK, we can fix that error shortly
Please rerun the scanner and post a new log
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mallie

mallie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:08:20 AM

Posted 01 October 2008 - 01:57 PM

Was already doing that before ya asked. I have been seeing scans in my sleep!!!! :thumbsup:

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

10/1/2008 2:56:07 PM
mbam-log-2008-10-01 (14-56-07).txt

Scan type: Quick Scan
Objects scanned: 48955
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:20 AM

Posted 01 October 2008 - 02:00 PM

How is your computer running now? Any more reports/signs of infection?
Are you still getting the boot up error for "specified module could not be found"?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 mallie

mallie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:08:20 AM

Posted 01 October 2008 - 02:05 PM

I have not done any "surfing" yet to see if I get any pop-ups but I will do that and let you know before this thread gets "closed"......Let me do another reboot and see if it comes up again, brb with the info!

#10 mallie

mallie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:08:20 AM

Posted 01 October 2008 - 02:39 PM

rebooted and did not get that windows error this time? weird. did a little "surfing" and FF seems to not be acting so weird and so far I did not get any pop-ups.

I will keep malwarebytes on my machine and run that along with Adware 2008 and Windows Defender. I have scanned and downloaded so much stuff in that last 2 days, my head is spinning. Hopefully malwarebytes was free and I can use it in the future. Funny how that and bitdefender seemed so far to catch this when Norton did not. Even Norton's "fix" to it didn't work. They also wanted $100 dollars to clean my machine. :flowers: Even bit defender caught more than Norton. Might be my next purchase when this license is over. :thumbsup:

Thanks everyone for all the help. I hope this thing does NOT come back...........


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:20 AM

Posted 01 October 2008 - 02:42 PM

You're welcome on behalf of the Bleeping Computer community.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 mallie

mallie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:08:20 AM

Posted 01 October 2008 - 03:05 PM

Done! Thank you again. I never would have done that part. :trumpet: Will keep my login name and come here periodically to see what is going on and read the info posted here. I should have come here 2 days ago instead of beating myself up (glad I didn't pay Norton :flowers: )......Hopefully I won't need help with any of these nasty cooties again. Had computer's (several) for years and never had trouble till now.

I just wish that the people who do this to other people's computers would put all that energy into something productive, like finding a cure for cancer. The world would be better off!

Thanks again! I hope we got it!
:thumbsup:

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:20 AM

Posted 02 October 2008 - 07:08 AM

You're welcome.
Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users