Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


TR/Spy.Vundo.AF, TR/dldr.agent.13321.3 => on laptop of my sister

  • This topic is locked This topic is locked
2 replies to this topic

#1 kris_e


  • Members
  • 1 posts
  • Local time:04:02 PM

Posted 29 March 2009 - 05:21 AM


Antivir keeps reporting that it found 2 trojan horses everytime i reboot my laptop. Deleting it with antivir does not help. I would be pleased if anyone can/wants to help me.
Possibly more malware/virus/trojan horses on this laptop.
Please help.

DDS (Ver_09-03-16.01) - FAT32x86
Run by Evers Kris at 12:18:21,62 on zo 29-03-2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.31.1043.18.446.145 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\{262916F0-031B-1043-1021-03082803001f}\Update.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Documents and Settings\Evers Kris\Local Settings\Temporary Internet Files\Content.IE5\GG77UFY1\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = www.google.be/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://global.acer.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {3e71dc86-4a5c-4c71-a185-ebe9ac2eb607} - c:\windows\system32\rqrsqnm.dll
BHO: {6677e742-ee15-471c-aa82-f1bf6402be1b} - c:\windows\system32\khfgh.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\nl\msntb.dll
BHO: {d651aff4-9590-424d-bd1e-8e33e090dfb3} - c:\windows\system32\uqwppqoo.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\nl\msntb.dll
EB: Mediabalk: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [AntispywareBot] c:\program files\antispywarebot\AntispywareBot.exe -boot
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [LaunchApp] Alaunch
mRun: [VTTimer] VTTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZpAcer.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [{262916F0-031C-1043-1021-03082803001f}] "c:\program files\common files\{262916f0-031c-1043-1021-03082803001f}\Update.exe" mc-110-12-0001411
mRun: [{262916F0-031B-1043-1021-03082803001f}] "c:\program files\common files\{262916f0-031b-1043-1021-03082803001f}\Update.exe" mc-110-12-0001411
mRun: [DllRunning] rundll32.exe "c:\windows\system32\pmxbfxle.dll",setvm
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [WindowsService] rundll32.exe "c:\windows\system32\vpiymono.dll",realset
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [{262916F0-031C-1043-1021-03082803001f}] "c:\program files\common files\{262916f0-031c-1043-1021-03082803001f}\Update.exe" mc-110-12-0001411
dExplorerRun: [{262916F0-031C-1043-1021-03082803001f}] "c:\program files\common files\{262916f0-031c-1043-1021-03082803001f}\Update.exe" mc-110-12-0001411
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: khfgh - c:\windows\system32\khfgh.dll
Notify: rqrsqnm - rqrsqnm.dll
SEH: {3e71dc86-4a5c-4c71-a185-ebe9ac2eb607} - c:\windows\system32\rqrsqnm.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2007-3-4 21312]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2007-3-4 40768]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2007-3-4 63016]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2007-3-4 210984]
R2 Client IP-IPX;Client IP-IPX;"c:\windows\system32\svchosts.exe" -e mc-110-12-0001411 [2006-12-19 36864]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-28 130424]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [2003-9-2 173184]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-28 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-28 1095560]

=============== Created Last 30 ================

2009-03-29 12:02 <DIR> --d----- c:\program files\Trend Micro
2009-03-29 11:32 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-28 17:31 740 ---sh--- c:\windows\system32\hgfhk.ini2
2009-03-28 16:32 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-28 16:31 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-28 16:31 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-28 16:31 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-28 16:31 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-28 16:31 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-28 16:31 <DIR> --d----- c:\docume~1\eversk~1\applic~1\PC Tools
2009-03-28 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-27 18:48 <DIR> --d----- c:\docume~1\eversk~1\applic~1\AntispywareBot
2009-03-27 18:47 <DIR> --d----- c:\program files\AntispywareBot
2009-03-03 18:39 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-03 18:39 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-03-03 18:15 <DIR> --d-h--- c:\windows\$hf_mig$

==================== Find3M ====================

2009-03-29 11:19 8,894 ---sh--- c:\windows\system32\hgfhk.bak1
2009-03-29 11:19 8,894 ---sh--- c:\windows\system32\hgfhk.bak2
2009-03-28 16:18 65,536 a------- c:\windows\DUMP6547.tmp
2008-04-11 10:03 38,776 a------- c:\docume~1\eversk~1\applic~1\GDIPFONTCACHEV1.DAT
2007-03-01 17:46 106,496 a------- c:\documents and settings\evers kris\sel.exe
2007-03-01 09:31 106,496 a------- c:\documents and settings\evers kris\ses.exe
2007-03-01 08:16 106,496 a------- c:\documents and settings\evers kris\elite.exe
2007-02-28 19:52 71,576 a------- c:\documents and settings\evers kris\sety.exe
2007-02-19 15:06 143,360 a------- c:\documents and settings\evers kris\flame.exe

============= FINISH: 12:19:13,55 ===============

BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 PM

Posted 31 March 2009 - 09:45 PM

Hello kris_e,

Download Security Check by screen317 from here or here and save it to your Desktop.
Unzip SecurityCheck.zip and a folder named Security Check should appear.
Open the Security Check folder and double-click Security Check.bat
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 PM

Posted 11 April 2009 - 09:51 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users