Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

removed Trojan:win32/Vundo.hj


  • This topic is locked This topic is locked
2 replies to this topic

#1 foraseeker

foraseeker

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 17 October 2008 - 02:20 PM

Hi all
nube here

i am posting this to help others that have the same problem

MS says they only have had 550 cases of this but i have personally seen it 5 times in the last 2 months
so i think it much bigger

I will post my log of my combofix at the bottom incase anyone wants to see it.

Not sure how these 2 unrelated laptops got it the only thing was that PC Friendly was also installed one OS was XP home the other PRO.

http://forums.microsoft.com/WindowsOneCare...88&SiteID=2

is the place that got me started after running

MS Live security 8 times and failed on pc 2 with xp home
http://onecare.live.com/site/en-us/center/howsafe.htm

IT did work on the first pc on XP Pro but i had to run it 3 times to imoblize it. and then windows defender to finally clean it off.

follow the instructions on the first link if the MS Live fails after a few tries.

it took over 20 hours to get this off.

the state of the first pc on xp pro was a pop up something about windows security 2008 found an infection. it is bunk but dont close it run task manager and kill it. The more you reboot the pc the more your infected. so dont reboot. always keep task manager up because in time the start key and all your desktop icons will go away.

if your good at command lines you can get back in
one way i got back in from task manager is to start a new task and then put in C: the OS would complain and the trojan would close windows for me but task manager still seems to stay up ;)


The state of the second pc was much worse only after 30 seconds of going into windows i would loose my taskbar, start button all icons etc just the desk top. when you get this here is a trick before you try to remove the trojan remove all but one stick of memory. i ran on 256mb what this does is slow the trojan and your pc way down.

it will give you more time when you go into windows to click the ie icon to get internet access to run the above 2 links.

run each link as fast as you can and book mark them because the trojan will shut your windows down.
when that happens start a new task and put in c: and you will get a window back then get IE running and then you can use the fav. to get back to the task at hand.

once you think you have it removed run the live link above one last time to be sure. VIRUS scanners AVG 8, Avast, Norton 2009 did pick it up but was unable to removed it. it just kept comming back..

Sorry for the jumping around but i wanted to put something out there that can help others.

this thing is tricky and hard to remove. if there is no important data on the pc i would do a fresh install instead of hours of tring to rid the system of the virus.

For now virus free
Lance




ComboFix 08-10-15.06 - Miles 2008-10-16 3:44:20.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.334 [GMT -7:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Miles\My Documents\My Documents.url
C:\resycled
C:\resycled\boot.com
C:\WINDOWS\system32\BISvCcfe.ini
C:\WINDOWS\system32\BISvCcfe.ini2
C:\WINDOWS\system32\components
C:\WINDOWS\system32\DcLlonpo.ini
C:\WINDOWS\system32\DcLlonpo.ini2
C:\WINDOWS\system32\efcDUmnK.dll
C:\WINDOWS\system32\HiiOYcfe.ini
C:\WINDOWS\system32\HiiOYcfe.ini2
C:\WINDOWS\system32\HQtENqss.ini
C:\WINDOWS\system32\HQtENqss.ini2
C:\WINDOWS\system32\jkkIYsPJ.dll
C:\WINDOWS\system32\opnolLcD.dll
C:\WINDOWS\system32\QBbbJkkj.ini
C:\WINDOWS\system32\QBbbJkkj.ini2
C:\WINDOWS\system32\sCJPAJjl.ini
C:\WINDOWS\system32\sCJPAJjl.ini2
C:\WINDOWS\system32\WxyGNXbc.ini
C:\WINDOWS\system32\WxyGNXbc.ini2
C:\WINDOWS\system32\XGNVCcdd.ini
C:\WINDOWS\system32\XGNVCcdd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.

2008-10-16 03:36 . 2008-10-16 03:36 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-10-16 03:35 . 2008-10-16 03:35 2,990,669 -ra------ C:\ComboFix.exe
2008-10-16 03:14 . 2008-10-16 03:17 214 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-16 02:31 . 2008-10-16 02:31 <DIR> d-------- C:\Program Files\CCleaner
2008-10-16 02:30 . 2008-10-16 02:30 2,934,168 --a------ C:\ccsetup212.exe
2008-10-16 02:01 . 2008-10-16 02:01 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-10-16 02:01 . 2008-10-16 02:05 50,689,960 --a------ C:\avg_free_stf_en_8_173a1373.exe
2008-10-15 16:45 . 2002-08-13 14:25 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-10-15 16:45 . 2002-08-13 14:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-10-15 16:45 . 2002-08-13 14:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-10-15 16:45 . 2008-10-16 02:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-15 10:39 . 2008-10-15 10:39 0 --a------ C:\VDM7.tmp
2008-10-15 02:27 . 2008-10-15 02:27 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-14 19:45 . 2008-10-16 01:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-10-03 14:59 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-10-03 14:59 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-10-03 14:59 . 2004-08-03 22:29 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-10-03 14:59 . 2004-08-03 22:29 701,440 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2008-10-03 14:58 . 2008-10-03 14:58 10 --a------ C:\WINDOWS\WININIT.INI
2008-10-03 12:39 . 2008-10-03 12:39 181 --a------ C:\43566574.bat
2008-10-03 12:38 . 2008-10-03 12:39 112 --a------ C:\tmp2.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 17:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-15 17:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-15 17:38 --------- d-----w C:\Program Files\Common Files\aolshare
2008-10-15 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-10-15 17:37 --------- d-----w C:\Program Files\Lavasoft
2008-10-15 04:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-11 19:46 --------- d-----w C:\Program Files\America Online 7.0a
2008-10-03 22:53 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-09-17 17:14 --------- d-----w C:\Program Files\America Online 7.0
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2007-08-10 00:16 10 ----a-w C:\Documents and Settings\Miles\d.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2002-03-29 14:40 122880 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
--a------ 2002-08-22 20:21 372736 C:\Program Files\Toshiba\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2002-05-30 17:23 163840 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
--a------ 2002-07-25 14:08 45056 C:\Program Files\Toshiba\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
--a------ 2002-04-05 14:44 49152 c:\Toshiba\SysStability\TSysSMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 7.0a\\waol.exe"=

R2 Dynex DX-WGNBC WLService;Dynex DX-WGNBC Service;C:\Program Files\Dynex Wireless G Adapter\WLService.exe [2004-03-29 49152]
S3 ATWPKT;ATWPKT;C:\WINDOWS\system32\Drivers\ATWPKT.SYS [2002-03-20 19140]
S3 Lexar2K_JumpShotService;Lexar2K_JumpShotService;C:\WINDOWS\system32\DRIVERS\LEXAR2K.sys [ ]
S3 LEXARUSB;LexarUsb.sys JumpShot Driver;C:\WINDOWS\system32\drivers\lexarusb.sys [1999-11-28 18180]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;C:\WINDOWS\system32\DRIVERS\vvbEth.sys [2001-11-09 34560]
S3 vvbususb;Virata USB VvBus driver;C:\WINDOWS\system32\drivers\vvbususb.sys [2001-11-12 50236]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;C:\WINDOWS\system32\DRIVERS\LSWLNDS.sys [2002-05-16 54083]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{875aa098-9bfa-11dc-b20c-00038a000015}]
\Shell\AutoRun\command - E:\LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efb2a30e-6633-11da-b17d-00038a000015}]
\Shell\AutoRun\command - E:\LapNetWizard.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-16 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{022793BA-B390-48B7-849D-BAF7021E4B46} - (no file)
BHO-{0A43AB64-3AB7-46C5-9FF5-5F718367B9E3} - C:\WINDOWS\system32\jkkIYsPJ.dll
BHO-{6EBD638E-2AAB-4E75-AD2E-9136B1B94871} - C:\WINDOWS\system32\opnolLcD.dll
BHO-{DE341077-7B2D-495F-A341-32BDAF76783B} - (no file)
ShellExecuteHooks-{0A43AB64-3AB7-46C5-9FF5-5F718367B9E3} - C:\WINDOWS\system32\jkkIYsPJ.dll
MSConfigStartUp-CeEPOWER - C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
MSConfigStartUp-ATIModeChange - Ati2mdxx.exe
MSConfigStartUp-AtiPTA - atiptaxx.exe


.
------- Supplementary Scan -------
.

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 03:55:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Dynex Wireless G Adapter\WLanCfgG.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-16 4:01:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 11:00:56

Pre-Run: 6,551,158,784 bytes free
Post-Run: 6,523,265,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

157 --- E O F --- 2008-10-15 10:17:18

Edited by foraseeker, 17 October 2008 - 02:30 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:03 PM

Posted 31 October 2008 - 08:33 AM

Hi,

Not sure if you still need help or not, because your post is a bit confusing. There are still some malware related leftovers present here - but since this thread is almost 2 weeks old, it may be a good idea to post new/updated logs in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:03 PM

Posted 07 November 2008 - 02:15 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users