Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 09, Trogan.vundo.h..Please help me remove


  • This topic is locked This topic is locked
11 replies to this topic

#1 Aja.J

Aja.J

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 21 October 2008 - 06:06 PM

I believe my computer was infected by Windows antivirus 09.
For several days i was unable to use the internet, open certain programs, and access my start menu. i had millions of pop- ups, and short cut to porn on my desk top.
Eventually i was able to download Malewarebytes Anti-malware, run it, complete the scan and remove all selected items.
I have done 10-12 scans after the first, and it keeps finding "trojan.vundo.h" files sometimes as many as 20

The problem is still the same. I still get pop-ups, i cant open many things on my pc. ie: device manager, add new hardware, no volume or sound is recognized, if i plug somethinginto one of my usb port nothing happens, i cant open my firewall etc.
another thig is it has deleted all the previous restore points, every day i try to restore the only restore point is the current day
I really really need help..... Im a college student in my last year, and my computer has all my needed work on it....please help!!!!

I hope i gave enough information, and thanks in advance for any and all help

my log as follows:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:34 PM, on 10/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 69.253.151.209 idenupdate.motorola.com
O2 - BHO: {76ab562c-7b10-232b-7e44-c7c4f144cdaa} - {aadc441f-4c7c-44e7-b232-01b7c265ba67} - C:\WINDOWS\system32\tvbori.dll
O2 - BHO: (no name) - {bac95c9a-2111-43b5-be6a-b0bdc3fb31e9} - C:\WINDOWS\system32\byXRlIyA.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Safecracker/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188080515125
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Safecracker/Images/armhelper.ocx
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/36/install/gtdownde.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: tvbori.dll
O21 - SSODL: XYzLMbHJGFI - {B496C9D8-1E3C-6372-2DD5-4330A3E167BE} - C:\WINDOWS\system32\fi.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll

--
End of file - 6277 bytes

BC AdBot (Login to Remove)

 


m

#2 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:06:07 AM

Posted 22 October 2008 - 05:00 AM

Hello Aja.J, my names dark messenger, but DM or Brett is fine.

I'm a student also, so I feel your pain :thumbsup:

Please let me have some time to look over your log and post back with some instructions on what to do next. Please do not make any changes to your system at all, that includes running MBAM, or any other program which can delete or move files.

DM :)

Edit: If you want E-mail notifications for my replies to this topic (if you havent already), click the Options button next to your first post and select Track and select the appropriate type.

Edited by dark messenger, 22 October 2008 - 05:27 AM.


#3 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:06:07 AM

Posted 22 October 2008 - 12:59 PM

Hi Aja.J, you do not currently have any anti virus programs installed. It is essential to have one of these up to date and running at all time.

Please download and install one of these free antivirus programs.

Antivir
Avast Free
Bit Defender

Once installed and updated, please reboot and follow the next set of instructions.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

DM

#4 Aja.J

Aja.J
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 23 October 2008 - 03:08 PM

Hi Brett,
Thanks for taking the time to help me with this nasty problem. Sorry for the long delay in response, my computer wasn't allowing me to access alot of web pages, so im here on my sisters computer.

1st: i have an antivirus program by trendmicro & norton. Neither one has been working since the infection. When i try to start it\ activate it: my comp shuts down, goes blank, get an error message etc.

2nd: i was able to download Avast after several attempts. When i restarted the comp only the background pic shows up. No task bar, nor shortcuts on the desk top. no NOTHING. no start button to get to anything. So i am unable to download combo-fix.

I don't know what to do from here..........

#5 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:06:07 AM

Posted 24 October 2008 - 03:48 AM

Hi,

Are you able to download combofix from a different computer, and install/run it on the infected machine?

#6 Aja.J

Aja.J
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 24 October 2008 - 11:46 AM

i will try and download the program on my sisters computer, and burn it to a cd.
so all i need to do after that is put the cd in the computer before i turn it back on, and it will run itself?

#7 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:06:07 AM

Posted 25 October 2008 - 07:36 AM

Yes put it onto a CD if you want, a usb memory stick/flash drive might be easier.

When you have the CD/flash drive inserted in your computer, just follow the instructions from earlier.

If when you log in, and you dont see the task bar or anything try:

ctrl+alt+del and then click File then New Task (Run...) and type in explorer.exe. Doing this should bring back your task bar and everything else. :thumbsup:

DM

#8 Aja.J

Aja.J
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 27 October 2008 - 08:21 PM

i got it downloaded onto a cd.

But now when i turn om my computer and i am prompted to enter my password... i type it in, press enter & it says "loading personal settings", a few seconds go by and it says "saving personal settings" and the little password box goes empty.Now i cant even get pass the password prompt screen.
this goes for my name as well as the guest account.

I don't know what to do

#9 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:06:07 AM

Posted 28 October 2008 - 11:15 AM

Hi Aja.J,

Can you please hunt for your Windows CD, we might need it.

Once you have found it, please turn on your computer, and keep tapping the F8 key until a menu appears. There should be an option to use the last known good configuration. Select that one and hit enter. The computer will continue to load up. Once at the login screen, try log in. If you are successful, put in the CD with combofix, and follow the previous intructions.

If not,

Insert your Windows XP CD, and restart your computer.

Continously tap the F2 key until a menu opens up. Go to the boot menu and scroll down to the the CD device. Press the + key not on your number pad thought until the CD/DVD drive is at the top of the list. Press F10 to Exit and Save Changes, hit enter on yes to save the changes.

The computer will restart, and boot from your windows CD. Try logging in now.

DM

#10 Aja.J

Aja.J
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 28 October 2008 - 12:02 PM

oK.
i tried to press crtl, alt. delete and no task manager popped up. Nothing popped up/

i tried what you said about about puttin the cd at the top of the list before you posted this, to no avail.

I previously tried last known good config, and the same thing happened, i was able to log in with my password, but all i got was the screen saver, no task bar, short cuts.etc... and after two minutes it went back to the log in screen where i was unable to log on again

Lastly i have a dell computer and windows came installed on the computer so i have no windows cd that came with it

Im flustered......maybe you are too. :thumbsup:
But this computer has me beaet

#11 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:06:07 AM

Posted 28 October 2008 - 01:04 PM

Hi,

When did you try to do ctrl+alt+del? Because it will only work if you were logged in. If you were able to login, please try the run Regedit, like I asked in the last post.

If you were not able to login, please Follow the instructions above for changing the boot order, but make the hard drive on the top of the list and I will do some research into how we can fix this problem :thumbsup:

#12 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:07 PM

Posted 06 November 2008 - 02:06 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users