Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Vundo.H and Trojan.BHO


  • This topic is locked This topic is locked
6 replies to this topic

#1 dazeofwar

dazeofwar

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 25 March 2009 - 10:49 AM

For more information on what's been done, please read this topic: http://www.bleepingcomputer.com/forums/t/213044/web-is-very-slow-and-i-have-popups-now/ ~ OB

These two infections (Trojan.Vundo.H and Trojan.BHO) reappear each time I remove them with Mbam. I also get an Error Loading message when my system reaches the desktop on startup. The error I receive is as follows:

"Error loading C:\WINDOWS\system32\lejafigu.dll. The specified module could not be found."

Please find my DDS.txt info below. I have also included the Attach.txt file to this topic.

--------------------------------------------------------------------------
DDS (Ver_09-03-16.01) - NTFSx86
Run by JJF at 10:38:57.70 on Wed 03/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1558 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090324-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\JJF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\JJF\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {27602fa8-d2a5-4841-a49b-ebed6a63d9d4} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {900ea03a-71f7-4934-b746-d37f8610fd7b} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam]
uRun: [Google Update] "c:\documents and settings\jjf\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: []
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Auto EPSON Stylus CX4800 Series on JJF2] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p39 "auto epson stylus cx4800 series on jjf2" /o15

"\\jjf2\EPSONSty" /M "Stylus CX4800"
mRun: [Auto EPSON Stylus CX4800 Series on JJF2 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p48 "auto epson stylus cx4800 series on

jjf2 (copy 1)" /o16 "\\jjf2\JJF2Print" /M "Stylus CX4800"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [sagafutesa] Rundll32.exe "c:\windows\system32\lejafigu.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: gjizwy.dll ,
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jjf\applic~1\mozilla\firefox\profiles\mwkq3ohp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\jjf\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jjf\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-27 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-21 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-21 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-21 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2004-7-30 136832]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 adxapie;adxapie;\??\c:\docume~1\jjf\locals~1\temp\adxapie.sys --> c:\docume~1\jjf\locals~1\temp\adxapie.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-21 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-21 352920]

=============== Created Last 30 ================

2009-03-24 10:51 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-24 10:51 --d----- c:\program files\SUPERAntiSpyware
2009-03-24 10:51 --d----- c:\docume~1\jjf\applic~1\SUPERAntiSpyware.com
2009-03-24 10:38 6,068,768 a------- c:\temp\SUPERAntiSpyware.exe
2009-03-24 10:38 50,688 a------- c:\temp\ATF-Cleaner.exe
2009-03-22 17:45 189,072 a------- c:\windows\system32\PnkBstrB.xtr
2009-03-22 14:32 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-22 13:34 --d----- c:\windows\system32\XPSViewer
2009-03-22 13:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-22 13:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-22 13:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-22 13:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-22 13:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-22 13:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-22 13:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-22 13:34 --d----- C:\8f4bf16150f0531e88d8962429eb024a
2009-03-22 13:33 --d----- c:\windows\SxsCaPendDel
2009-03-22 12:24 --d----- c:\windows\pss
2009-03-22 12:23 --d----- c:\temp\VirtumondeBeGone
2009-03-22 12:12 --d----- C:\VundoFix Backups
2009-03-22 12:11 --d----- c:\temp\VundoFix
2009-03-22 10:56 --d----- c:\docume~1\jjf\applic~1\Malwarebytes
2009-03-22 10:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-22 10:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 10:56 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 10:56 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-22 09:56 --d----- c:\temp\MalwareBytes
2009-03-21 16:00 --d----- c:\temp\DDS
2009-03-21 15:55 --d----- C:\HJT
2009-03-21 15:30 --d----- c:\program files\Trend Micro
2009-03-21 15:27 --d----- c:\temp\Trend Micro
2009-03-13 22:59 --d----- c:\temp\LG
2009-03-12 18:57 61,440 a------- c:\windows\system32\ISUSPM.cpl
2009-03-11 14:28 --d----- c:\program files\Seagate
2009-03-11 14:28 --d----- c:\docume~1\alluse~1\applic~1\Seagate
2009-03-02 13:57 --d----- c:\temp\Glary Utilities

==================== Find3M ====================

2009-03-22 17:45 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-03-22 17:44 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-22 17:44 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-09 10:40 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-09 10:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-17 10:37 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-07 12:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-03 22:09 7,538 a------- c:\windows\system32\ealregsnapshot1.reg
2007-11-20 13:47 22,328 a------- c:\docume~1\jjf\applic~1\PnkBstrK.sys
2008-09-12 09:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008091220080913\index.dat
2008-10-02 13:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 10:39:25.50 ===============
------------------------

Please let me know how I should proceed at this point or if there are any questions. Thanks in advance! :thumbup2:

Attached Files


Edited by Orange Blossom, 26 March 2009 - 08:40 PM.


BC AdBot (Login to Remove)

 


#2 dazeofwar

dazeofwar
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 26 March 2009 - 09:33 AM

Any assistance is greatly appreciated. Please!

#3 dazeofwar

dazeofwar
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 26 March 2009 - 02:23 PM

This is the 2nd topic I have posted in this area with no response what so ever. Can someone please help me? I see other topics created AFTER mine that are receiving attention. Why am I being passed over??? :thumbup2:

See the answer to that question here: http://www.bleepingcomputer.com/forums/ind...t&p=1194638 ~ OB

Edited by Orange Blossom, 26 March 2009 - 08:41 PM.


#4 dazeofwar

dazeofwar
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 30 March 2009 - 12:27 PM

I understand that all of the moderators are very busy. I apologize for any inconvenience.

Can someone please assist me? Please respond to this and I will post new logs (Hijack or DDS). Thanks in advance.

#5 dazeofwar

dazeofwar
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 30 March 2009 - 05:08 PM

Anybody?

#6 dazeofwar

dazeofwar
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 01 April 2009 - 02:43 PM

The two entries no longer come up on my scans. Please close this topic when ever you get to it. Thanks.

#7 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:05:03 AM

Posted 04 April 2009 - 04:50 PM

OK. Thanks for informing us.
Good luck.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users