Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can somene help - Trojan removal request


  • This topic is locked This topic is locked
2 replies to this topic

#1 JamesW70

JamesW70

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 24 February 2009 - 02:21 AM

Can someone kindly help? I started getting pop ups yesterday,and upon each boot up my McAfee AV says "vbrundo" (sorry I forgot name?) trojan removed.

Here's the dds.txt and zipped attach.txt (also have a hijackthis.log and startuplist.txt). Thanks a bunch in advance for your help.

James W


DDS (Ver_09-02-01.01) - NTFSx86
Run by James Wang at 23:03:28.17 on Mon 02/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.393 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Gigabeat 3.0\TosGbWatcher.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\rundll32.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnH Solutions\IEPrivacyKeeper.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\America Online 9.0\waol.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\PROGRA~1\COMMON~1\AOL\121170~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\121170~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Wang\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\James Wang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://navinet.navimedix.com/Main.asp
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {08d204df-058b-4403-81b0-44dd6c487413} - c:\windows\system32\gejaneme.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {ef077611-ee2a-ad5b-0804-147b9917313d}: {d3137199-b741-4080-b5da-a2ee116770fe} - c:\windows\system32\stukzr.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6]
uRun: [IE Privacy Keeper] "c:\program files\unh solutions\IEPrivacyKeeper.exe" -startup
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [AOL Fast Start] "c:\program files\america online 9.0\AOL.EXE" -b
mRun: [SkyTel] SkyTel.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TosGbWatcher] "c:\program files\gigabeat 3.0\TosGbWatcher.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [jumehikite] Rundll32.exe "c:\windows\system32\sujibiwi.dll",s
mRun: [c0fb165a] rundll32.exe "c:\windows\system32\rojisabo.dll",b
mRun: [CPMc3c825c6] Rundll32.exe "c:\windows\system32\yanukoka.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dllcmd32.lnk - c:\jetsuite\DLLCMD32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hplase~1.lnk - c:\jetsuite\JETSTAT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\sisazibo.dll stukzr.dll c:\windows\system32\yanukoka.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yanukoka.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\yanukoka.dll
LSA: Notification Packages = scecli c:\windows\system32\sisazibo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jamesw~1\applic~1\mozilla\firefox\profiles\9jm3a0r2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\james wang\application data\mozilla\firefox\profiles\9jm3a0r2.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys [2008-6-29 164256]
R1 js1284;js1284;c:\windows\system32\drivers\JS1284.SYS [2008-5-24 76848]
R1 jsmux;jsmux;c:\windows\system32\drivers\JSMUX.SYS [2008-5-24 64336]
R1 jsscan;jsscan;c:\windows\system32\drivers\JSSCAN.SYS [2008-5-24 69088]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-24 213640]
R2 jsfax;jsfax;c:\windows\system32\drivers\JSFAX.SYS [2008-5-24 64640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-24 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-26 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-24 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-24 40552]
S2 0113471233206331mcinstcleanup;McAfee Application Installer Cleanup (0113471233206331);c:\windows\temp\011347~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\011347~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 jspclcap;jspclcap;c:\windows\system32\drivers\JSPCLCAP.SYS [2008-5-24 55200]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-24 34216]
S4 jsdbg;jsdbg;c:\windows\system32\drivers\JSDBG.SYS [2008-5-24 37168]

=============== Created Last 30 ================

2009-02-23 11:24 129,024 a--sh--- c:\windows\system32\stukzr.dll
2009-02-22 23:24 129,024 a--sh--- c:\windows\system32\pagbwa.dll
2009-02-22 21:14 754 a------- c:\windows\WORDPAD.INI
2009-02-22 20:25 <DIR> --d----- c:\program files\Paint.NET
2009-02-20 22:09 24 a------- C:\url_history.xml

==================== Find3M ====================

2009-02-23 11:24 129,024 a--sh--- c:\windows\system32\lijaduhi.dll
2009-02-23 11:24 84,992 a--sh--- c:\windows\system32\yanukoka.dll
2009-02-23 11:24 79,872 a--sh--- c:\windows\system32\rojisabo.dll
2009-02-22 23:24 84,992 a--sh--- c:\windows\system32\dapotado.dll
2009-02-22 23:24 129,024 a--sh--- c:\windows\system32\lotonene.dll
2009-02-22 23:24 79,872 -------- c:\windows\system32\wogirubi.dll
2009-01-09 12:03 213,640 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-09 12:03 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 12:03 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 12:03 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-09 12:03 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-20 14:24 1,252,615 a------- c:\windows\system32\a.exe
2008-10-02 12:00 24,504 a------- c:\docume~1\jamesw~1\applic~1\GDIPFONTCACHEV1.DAT
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\gejaneme.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\sisazibo.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\sujibiwi.dll
2008-09-05 16:30 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 23:04:43.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JamesW70

JamesW70
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 26 February 2009 - 06:13 PM

Please delete topic - I did not receive any replies, but I no longer need assistance here.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:34 AM

Posted 27 February 2009 - 10:45 AM

Thanks for telling us.

This thread is closed.

For the edification of others here, this is a forum not live chat.

Our HJT Team is working hundreds of logs daily. It takes take to work them and respond to newer.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users