Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Notebook wakes up from hibernation.

  • This topic is locked This topic is locked
11 replies to this topic

#1 kurosaba


  • Members
  • 11 posts
  • Local time:06:12 PM

Posted 02 March 2009 - 11:29 AM


I have an Asus f3sa notebook with Windows Vista Home as my OS. I've had my laptop for about 11 months now, and I usually have it plugged it rather than running on battery, on my desk, with wireless on, and usually on hibernate it when i'm not using it.

However, recently, Thursday, Feb. 26, 2009, I started to experience a weird problem. I have not rebooted my computer for about a week since then, but I hibernate every night when I go to sleep. When I hibernated my notebook, it did so as it would normally. I got ready for bed, then when I was falling asleep, I hear my computer turn on. This has happened once or twice before I'd say about more than 6 months ago, but this was for windows update which I have set to 3AM on Sundays.

My computer now ALWAYS wakes up from hibernation spontaneously minutes after hibernation.
I do not know what to do. Things that may or may not have affected my computer:
-on Wednesday/Thursday, there was a power outtage when my computer was on.
-I stupidly opened an ecard.exe file. I've gotten rid of it, but am not sure if it still affects my computer.

Steps I've taken to try and resolve the problem:
-Go into Device Manage and made sure my devices are disabled for Wake-on LAN and disable ability to wake the computer
-I went to BIOS Power Management but my BIOS only has options for LCD power management for energy saving, none about Wake-on LAN
-I am running on Wireless, I disabled my wireless card and hibernate, but to no avail.
-I tried shutting down completely, taking off the battery of the notebook and putting it back in, no success.
-Safe mode doesn't offer a hibernation mode.
-I did an ad-aware scan, but it only gave me cookies as threats.
-I tried SLEEP mode and it seemed to stay in sleep mode just fine.
-Ran Kaspersky Online Scanner and it only found MIRC.exe as a threat, which i do NOT think is a threat and i've had it for almost a year now.
-command prompt: powercfg -lastwake is no help at all. It yields wake history count - 1 wake source count - 0.

Things I have NOT tried:
-i don't know how to follow readings from HiJackThis. It might be telling me something important, but I don't know.
-I don't know if certain .dll's may be messing up the hibernation mode.

I don't know what else to try. This is driving me crazy. Please help me. Any/all help would be appreciated.

So this is the DDS:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Kurosaba at 11:25:00.20 on Mon 03/02/2009
Internet Explorer: 7.0.6000.16809 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2047.920 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
D:\important stuff\ideazon\Zboard.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
mDefault_Page_URL = hxxp://www.asus.com
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: ASUS Security Protect Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [AIM] d:\aim\aim.exe -cnetwait.odl
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [MSServer] rundll32.exe c:\users\kurosaba\appdata\local\temp\fccddBQh.dll,#1
uRun: [cmds] rundll32.exe c:\users\kurosaba\appdata\local\temp\iifgEtuv.dll,c
mRun: [Zboard] d:\important stuff\ideazon\Zboard.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WinampAgent] d:\music\winamp\winampa.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [Skytel] Skytel.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModule
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: APSHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\users\kurosaba\appdata\roaming\mozilla\firefox\profiles\tq9xhk1p.default\
FF - prefs.js: browser.startup.homepage - www.google.com

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-7-9 209408]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080523.001\IDSvix86.sys [2008-5-23 261680]
R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\itsdisk.sys [2006-5-16 23232]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-1-23 39080]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-11-2 22016]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-11-2 22016]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2007-4-18 24576]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01v32.sys [2007-3-15 48128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-3-10 109616]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2007-6-5 1260672]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]
S3 Alpham1;Ideazon ZBoard USB Human Interface Device;c:\windows\system32\drivers\Alpham1.sys [2007-7-23 42624]
S3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;c:\windows\system32\drivers\Alpham2.sys [2007-3-20 18432]

=============== Created Last 30 ================

2009-03-02 11:04 40 a------- c:\windows\à¿(
2009-02-27 09:55 <DIR> --d----- c:\programdata\Lavasoft
2009-02-27 09:55 <DIR> --d----- c:\program files\Lavasoft
2009-02-17 21:16 <DIR> --d----- C:\temp
2009-02-14 18:33 428,032 a------- c:\windows\system32\EncDec.dll
2009-02-14 18:33 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-02-14 18:33 292,352 a------- c:\windows\system32\psisdecd.dll
2009-02-14 18:33 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-14 18:33 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-02-14 18:33 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-14 18:33 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-02-14 18:33 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-02-13 15:13 <DIR> --d-h--- c:\programdata\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2009-02-13 15:13 <DIR> --d-h--- c:\progra~2\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2009-02-02 17:47 <DIR> --d----- C:\wic

==================== Find3M ====================

2009-02-27 09:31 45,056 a------- c:\windows\system32\acovcnt.exe
2009-01-14 23:16 826,368 a------- c:\windows\system32\wininet.dll
2009-01-14 23:16 56,320 a------- c:\windows\system32\iesetup.dll
2009-01-14 23:16 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-01-14 23:15 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-01-14 12:56 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-15 03:14 174 a--sh--- c:\program files\desktop.ini
2008-11-12 17:04 22,328 a------- c:\users\kurosaba\appdata\roaming\PnkBstrK.sys
2008-09-21 14:01 86,016 a------- c:\windows\inf\infstrng.dat
2008-09-21 14:01 51,200 a------- c:\windows\inf\infpub.dat
2008-07-11 20:12 86,016 a------- c:\windows\inf\infstor.dat
2008-06-12 02:10 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-11 10:58 56 a---h--- c:\programdata\ezsidmv.dat
2008-05-11 10:58 56 a---h--- c:\progra~2\ezsidmv.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:26:20.79 ===============

Attached Files

Edited by kurosaba, 02 March 2009 - 11:33 AM.

BC AdBot (Login to Remove)


#2 kurosaba

  • Topic Starter

  • Members
  • 11 posts
  • Local time:06:12 PM

Posted 02 March 2009 - 05:04 PM

please let me know if you need more info. thanks.

#3 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:06:12 PM

Posted 11 March 2009 - 02:25 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. Appologies for taking so long in getting to you and your problem.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer. I am looking over your log, and I will be back in a bit with some instructions.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Also can you go into the scheduled tasks and make sure there is nothing set to wake he computer up? Let me know if there is. Also check the windows update schedule, it may have gotten changed.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#4 kurosaba

  • Topic Starter

  • Members
  • 11 posts
  • Local time:06:12 PM

Posted 11 March 2009 - 04:19 PM

The results are pasted below. I listed all of my attempts at fixing the problem above.

At one point, I found some things in my msconfig startup that seemed weird, these were things like pnppnoph.dll or something under the name cmds. and another item under the name MsServer which was also a .dll located in windows/system32 folder. I deleted these at one point with HJT, and tried to hibernate, that was a success actually. however, at one point, it came back with a different name. Now I can't use HJT to deal with it because i've encountered a new problem.

I am not sure if this is related, but I cannot right click items on my desktop or else my computer will freeze. Right-clicking on the desktop itself takes about 4 seconds for a response. I can make new folders and such on the desktop. However, right clicking any icons on the desktop gives me a frozen computer and I have to restart alll the time. Another problem is when i try to modify anything in my folders/desktop. So far dragging any item into another folder on the desktop makes my computer freeze and trying to delete anything (by left clicking and right clicking to delete or by left clicking and pressing the delete key) in the windows/system32 folder makes my computer freeze.I do not know if these are related problems. I have NOT restarted after ordering mbam to remove all selected after the scan.

My computer is infected with VUNDO and some other Malware.Trace. About 48 items infected.

this the log.

Malwarebytes' Anti-Malware 1.34
Database version: 1837
Windows 6.0.6001 Service Pack 1

3/11/2009 5:12:13 PM
mbam-log-2009-03-11 (17-12-13).txt

Scan type: Quick Scan
Objects scanned: 67346
Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Kurosaba\AppData\Local\Temp\opNhFwxW.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserver (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Kurosaba\AppData\Local\Temp\opNhFwxW.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Kurosaba\AppData\Local\Temp\iifgEtuv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001a0b1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001adcb (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001bba0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001bd07 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001bf29 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001c032 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001c83d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001cca1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001cea3 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001cf5f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001d0e5 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001d171 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001d400 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001d815 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001da18 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001dd53 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001ec51 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001eea2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001fa16 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0001fe5a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0002031b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp00023f7f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0002932a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0002f797 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0002fe7a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp00031e58 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp0007958a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\opnkiHBQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp00019ecd (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp00018d7f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp000192bd (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp00019e70 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp001d7a7c (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\tmp01d68761 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Temp\pmnoPhhe.dll (Malware.Trace) -> Delete on reboot.

#5 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:06:12 PM

Posted 11 March 2009 - 04:39 PM

Those other problems may be related. We will be able to tell better after we get it cleaned up. As for the problem, go ahead and reboot, and then run a full scan with Malwarebytes' Anti-Malware . That will take a couple hours. Lets make sure we get this off. After it runs, test out the computer and see what is still problematic, and what is fixed.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 kurosaba

  • Topic Starter

  • Members
  • 11 posts
  • Local time:06:12 PM

Posted 11 March 2009 - 04:47 PM

after my reboot. my computer goes into hibernation properly now, but now my right clicks on the desktop just freeze my computer :thumbup2:.

Edit: that was after the quick scan. I will do a full scan now and let you know soon.

Edited by kurosaba, 11 March 2009 - 04:49 PM.

#7 kurosaba

  • Topic Starter

  • Members
  • 11 posts
  • Local time:06:12 PM

Posted 11 March 2009 - 05:37 PM

whenever i do a full scan. it gets stuck at msvcp1.dll which is nero inCD or something. it gets stuck there. all my windows turn white, i can't click on anything. i have to reboot. I tried both in normal mode and in safe mode.

#8 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:06:12 PM

Posted 11 March 2009 - 07:37 PM

Reboot to safe mode and then run the full scan. InCD won't be running.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 kurosaba

  • Topic Starter

  • Members
  • 11 posts
  • Local time:06:12 PM

Posted 11 March 2009 - 09:51 PM

Ok. I did a scan on two and a half of my harddrives.
I found three things.
i removed them.
Now I can right click on my desktop without freezing. However, I did notice something. When the computer first started up after log on, my outdated norton protection center keeps popping up saying that someone tried to attack me, but it was blocked, it was a port scan.
Should i be worried about this?

Malwarebytes' Anti-Malware 1.34
Database version: 1837
Windows 6.0.6001 Service Pack 1

3/11/2009 10:25:28 PM
mbam-log-2009-03-11 (22-25-28).txt

Scan type: Full Scan (C:\|D:\|H:\|I:\|J:\|K:\|)
Objects scanned: 300484
Time elapsed: 55 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Kurosaba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L618YCDC\qw[6] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QT8GVI1L\qw[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kurosaba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSPIXYG7\qw[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

Other than that, it looks like everything is going well! Thanks a lot for your help. It was worth all the wait.

P.S. I run kaspersky online virus scan and it detected nothing on the vundo or malware.trace.
I guess I will use Malwarebytes for malware, but would you recommend a good free virus scanner? If not, that's ok.

Your help is more than enough. I am really grateful!

#10 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:06:12 PM

Posted 11 March 2009 - 10:05 PM

AVG is the version I recommend. Its what I use (except I use the paid for version). As for what Norton was telling you, do you have a home LAN? Or a wireless connection that is not secured? Without seeing the logs, I would just be making bad guesses. What are you going to use for a firewall?

As for your problem, play with your computer for a day or two. Make sure you reboot a couple times in there. I would like to give the infection a chance to come back. If after a couple days you still have no problems we can do some cleanup and call it done, unless you have more problems now, or questitons.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 kurosaba

  • Topic Starter

  • Members
  • 11 posts
  • Local time:06:12 PM

Posted 11 March 2009 - 10:32 PM

Thanks a lot, Hoov.

I am on a wireless connection in my college dorm. It is through the college's Wirelss Router/Network.

For a firewall, well, for now, I am using Window's Firewall, and I guess sometimes my Norton would detect things going on with my network traffic.
I will definitely play around with the computer and see if the infection comes back. I will update you in a couple of days.

Thanks again, Hoov.

#12 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:06:12 PM

Posted 11 March 2009 - 10:41 PM

You are welcome.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users