Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need Help With Vundo Trojan Removal

  • Please log in to reply
17 replies to this topic

#1 gedlar


  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 02 January 2009 - 01:57 PM

I use AVG virus scanner, and it detects VUNDO.CO and VUNDO.CM (and other variations of it) on the file svchost.exe, but it could not remove it. I used VundoFix, and it didn't find anything. I used VirtumundoBegone in safe mode, and it didn't find anything. I run my AVG virus scanner again, and it still detects the trojan.

The only symptoms I see are that my computer is noticeably slower, and it tries to run a .dll file at startup (something along the lines of C:\windows\system32\(blah).dll ).

Here is the DDS.txt

DDS (Version 1.1.0) - NTFSx86
Run by Hark at 13:33:43.37 on Fri 01/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.548 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Hark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?p=%s
uURLSearchHooks: H - No File
mWinlogon: System=csxjq.exe
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_3_16_0.dll
BHO: {08BEC6AA-49FC-4379-3587-4B21E286C19E} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {74adcf84-cbc4-6cc8-01d4-8211d480a0a8}: {8a0a084d-1128-4d10-8cc6-4cbc48fcda47} - c:\windows\system32\bypyaf.dll
BHO: {c7fe25bb-f635-4eb2-8145-16afefed346d} - c:\windows\system32\awtsSifc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_3_16_0.dll
TB: {08BEC6AA-49FC-4379-3587-4B21E286C19E} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\updates\AIMBar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [UnSpyPC] "c:\program files\unspypc\UnSpyPC.exe"
uRun: [Windows installer]
uRun: [TRPT] srbho.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [98c11038] rundll32.exe "c:\windows\system32\bbalnbnl.dll",b
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
StartupFolder: c:\docume~1\hark\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\hark\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoBandCustomize = 1 (0x1)
uPolicies-explorer: ForceActiveDesktopOn = 1 (0x1)
uPolicies-system: Wallpaper = c:\windows\desktop.html
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {0E38416D-F24F-47EC-9DD6-D92250860A85} =,
TCP: {3444DC20-B00D-4552-8FF7-B8D8553E6B0C} =,
TCP: {420F844D-7F12-45B5-8DB5-7B2C6B843F9B} =,
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: bypyaf.dll,avgrsstx.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 relog_ap c:\windows\system32\awtsSifc

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hark\applic~1\mozilla\firefox\profiles\zizp6cho.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-19 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-19 26824]
R2 asurscsi;asurscsi;c:\docume~1\hark\locals~1\temp\MSIC.tmp [2007-9-26 142336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-19 231704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-5 24652]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys []
S2 mple7docserver;Maya 7 PLE Documentation Server;"f:\maya 7.0\docs\wrapper.exe" -s "f:\maya 7.0\docs\Wrapper.conf" []
S3 gsplittm;gsplittm;\??\c:\docume~1\hark\locals~1\temp\gsplittm.sys []
S3 pfusb;pfusb;c:\windows\system32\drivers\pfusb.sys [2005-5-19 12272]
S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [2004-6-11 171776]

=============== Created Last 30 ================

==================== Find3M ====================

2007-09-27 04:09 604 a---h--- c:\program files\STLL Notifier
2006-01-19 23:40 2,140,801 a------- c:\docume~1\hark\applic~1\Install.dat
2004-06-28 01:39 22,944 ac------ c:\docume~1\hark\applic~1\GDIPFONTCACHEV1.DAT
2004-06-12 14:37 808 ac------ c:\program files\INSTALL.LOG
2002-12-11 19:27 73,728 a--sh--- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 13:34:27.32 ===============

Attached Files

Edited by gedlar, 02 January 2009 - 02:03 PM.

BC AdBot (Login to Remove)


#2 Rodav


  • Members
  • 388 posts
  • Local time:09:14 AM

Posted 07 January 2009 - 05:40 PM

Hello and welcome to Bleeping Computer. :thumbsup:

Step 1:
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a new DDS log.

#3 gedlar

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 09 January 2009 - 06:54 PM

Thanks for the reply. I have attached the requested files.

Attached Files

#4 Rodav


  • Members
  • 388 posts
  • Local time:09:14 AM

Posted 10 January 2009 - 02:51 PM

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.


References for the risk of these programs can be found in these links:
See Clean/Infected P2P Programs here

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to keep them, please do not use them until your computer is cleaned.

Step 1:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2:
Run Eset NOD32 Online AntiVirus
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post along with the combofix report.

Edited by Rodav, 10 January 2009 - 02:52 PM.

#5 gedlar

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 11 January 2009 - 12:32 AM

Here are the requested files.

Attached Files

#6 Rodav


  • Members
  • 388 posts
  • Local time:09:14 AM

Posted 11 January 2009 - 11:00 AM

How's your computer running now?

#7 gedlar

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 11 January 2009 - 11:50 AM

I've noticed that it doesn't run the .dll file anymore at startup and that my computer is running faster. However, I'm not sure if the Vundo trojan is truly gone because my antivirus would catch it at random days of the week.

#8 Rodav


  • Members
  • 388 posts
  • Local time:09:14 AM

Posted 11 January 2009 - 01:01 PM

Have you been getting any alerts from your antivirus since yesterday? We can double check.

Step 1:
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here along with a new DDS log.

#9 gedlar

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 11 January 2009 - 02:02 PM

I left my computer idle as I went off to eat lunch. When I got back to my computer (about 1 hour later) it detected another vundo trojan (see attachment). For now, I sent it to the vault.

I did not run Malwarebytes' Anti-Malware yet. Should I still do it?

Attached Files

#10 Rodav


  • Members
  • 388 posts
  • Local time:09:14 AM

Posted 11 January 2009 - 02:26 PM

Ah I see, the infection is in system restore. As long as you do not use system restore those files are completely harmless, when we are finishing up we will clear them out. You can run Malwarebytes if you wish, it won't do any harm but I don't feel it's necessary at this point. Let me know either way.

#11 gedlar

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 11 January 2009 - 02:36 PM

If you feel that we don't need to run Malwarebytes, then we won't. So what should I do next?

#12 Rodav


  • Members
  • 388 posts
  • Local time:09:14 AM

Posted 11 January 2009 - 02:51 PM

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

You can also delete any logs created.


Your logs are now clean. :thumbsup:
If you still feel you are having any issues please let me know now, otherwise read through the following:

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you can follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • Install Malwarebytes & update and scan with it regularly
    Malwarebytes is a free for personal use on demand scanner which is developed by active members of the Malware Removal community. It detects and removes many modern infections. The paid version offers realtime protection.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.
Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.

#13 gedlar

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 11 January 2009 - 03:04 PM

I ran the ComboFix /u command and nothing happens. Is that what's supposed to happen? I am not supposed see a confirmation pop-up when it's done with what it's supposed to be doing?

I have read the post, and I hope I don't get the trojan again. Thank you for the help :thumbsup:

#14 Rodav


  • Members
  • 388 posts
  • Local time:09:14 AM

Posted 11 January 2009 - 03:13 PM

If combofix.exe has gone from your desktop then you know it has worked. :thumbsup:

#15 gedlar

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:14 AM

Posted 11 January 2009 - 06:24 PM

The ComboFix.exe is still on my desktop after running the ComboFix /u command. Did I do something wrong?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users