Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot remove some Trojan.Vundo.H files


  • This topic is locked This topic is locked
6 replies to this topic

#1 SR68

SR68

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2009 - 11:27 AM

Hello,

About two days ago, my computer was infected with the Vundo.H Trojan. Through deleting some files and running MalwareBytes I now have access to websites etc. (which I did not after the trojan attack) and have prevented the popups. However, I have not been able to get rid of 3 registry entries and one dll related to the virus. Malwarebytes says removal on restart, but it does not remove it. I also installed Spywarefighter, which does not detect it. I cannot delete it in safe mode restart. Please help me get rid of these. I have included the log file from the Malwarebytes run below.

Thank you for your help.

Regards,

Shree



Malwarebytes' Anti-Malware 1.36
Database version: 2034
Windows 5.1.2600 Service Pack 3

4/24/2009 10:48:10 PM
mbam-log-2009-04-24 (22-48-10).txt

Scan type: Quick Scan
Objects scanned: 4230
Time elapsed: 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b19c1738-300a-4d46-8889-bc4ddc0f5479} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gciwaozd (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b19c1738-300a-4d46-8889-bc4ddc0f5479} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\xgyipwv.dll (Trojan.Vundo.H) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:06 AM

Posted 25 April 2009 - 01:43 PM

Hi SR68,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already,
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks.

Firstly, as good as MBAM is, I need to see a full scan log. Please download DDS as below.

Posted Image

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker and then double click dds.scr to run the tool.

When done, DDS will open two logs:
  • DDS.txt
  • Attach.txt
Save both reports to your desktop first and then copy & paste them into your next reply.

Thanks. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 SR68

SR68
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2009 - 03:43 PM

Hi M0le,

Thank you for responding to my post. Below is the DDS.txt data and I shall attach the attach.txt file to this reply.

Shree

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kimberly Mercer at 15:32:33.35 on Sat 04/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.135 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
svchost.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Fighters\configservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Fighters\licenseservice.exe
C:\Program Files\Fighters\updateservice.exe
C:\Program Files\Fighters\ScannerService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\MDM.EXE
c:\program files\fighters\spywarefighter\SPYWAREfighterTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Documents and Settings\Kimberly Mercer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uWindow Title = Microsoft Internet Explorer provided by Compaq
uSearch Bar = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=3c01&lc=0409
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
mSearch Page =
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: : {b19c1738-300a-4d46-8889-bc4ddc0f5479} - c:\windows\system32\xgyipwv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_05\bin\jusched.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [spywarefighterguard] c:\program files\fighters\spywarefighter\SpywarefighterUser.exe
mRunOnce: [Compaq_RBA] c:\program files\compaq\compaq advisor\bin\compaq-rba.exe -z
StartupFolder: c:\docume~1\kimber~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms peripherals\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\kimber~1\startm~1\programs\startup\SHORTC~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} - hxxp://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229913115609
DPF: {6F07CA40-1983-11D6-B8FA-00C04F5E375A} - hxxp://etrade.bridge.com/etgmt_backup/java/gmt_etrade_i.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.2744907407
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C0288443-26C2-11D6-B8FA-00C04F5E375A} - hxxp://etrade.bridge.com/etgmt_backup/java/gmt_bridge_i.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} - hxxp://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5594/mcfscan.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: gciwaozd - xgyipwv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 dlgjniqw;dlgjniqw;c:\windows\system32\drivers\dlgjniqw.sys [2001-10-22 23424]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-24 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-24 144704]
R2 portD;ABS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2007-1-6 7296]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-24 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-24 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-24 40552]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
R3 Vfscan;Vfscan;c:\windows\system32\drivers\vffilter.sys [2008-11-18 15496]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\eacmos.sys --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2003-8-25 15104]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\Gcr432.sys [2001-9-6 89371]
S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [2005-2-15 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-24 34216]
S3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [2005-2-24 7168]
S3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [2005-2-24 14848]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2004-2-25 15576]

=============== Created Last 30 ================

2009-04-25 09:38 <DIR> --d----- C:\VundoFix Backups
2009-04-24 19:09 <DIR> --d----- c:\program files\Fighters
2009-04-24 19:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Fighters
2009-04-24 18:38 4,505 a------- c:\windows\system32\Config.MPF
2009-04-24 17:53 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-24 17:53 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-24 17:53 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-24 17:53 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-24 17:51 <DIR> --d----- c:\program files\common files\McAfee
2009-04-24 17:51 <DIR> --d----- c:\program files\McAfee.com
2009-04-24 17:50 <DIR> --d----- c:\program files\McAfee
2009-04-24 17:45 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-23 20:41 <DIR> --d----- c:\docume~1\kimber~1\applic~1\Malwarebytes
2009-04-23 20:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-23 20:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 20:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-23 20:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-23 17:25 <DIR> --d----- c:\docume~1\kimber~1\applic~1\nyjqachf
2009-04-23 17:05 0 a------- c:\windows\system32\nfr.gpref
2009-04-23 10:33 0 a------- c:\windows\system32\nfr.assembly
2009-04-23 10:33 150 a------- C:\pch.bat
2009-04-23 10:33 <DIR> --d----- c:\windows\system32\179223
2009-04-23 09:00 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-23 09:00 1,409 a------- c:\windows\QTFont.for
2009-04-15 03:47 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:47 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:47 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:47 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:47 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:47 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 03:47 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:47 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:47 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:46 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 03:46 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 03:46 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-25 11:10 7,477 a------- c:\windows\compaq.reg
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-06 09:22 284,160 -------- c:\windows\system32\pdh.dll
2009-02-20 03:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 03:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 15:34:50.68 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:06 AM

Posted 29 April 2009 - 06:26 PM

Hi SR68,

Thanks for the log and apologies for the slight wait.

There are a few malware issues with your PC.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you want to continue then follow these instructions...

SpywareFighter is not a recommended program. There are better programs available which i will let you know about after we have cleaned your computer.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

SpywareFighter

Additional instructions can be found here if needed.

Next...

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Finally, I would like to take a deeper look at your PC.

Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
To recap
  • Confirm that you have removed SpywareFighter
  • Post the Gmer log
  • Post the two OTViewIt logs
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 SR68

SR68
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 April 2009 - 08:07 PM

Hi M0le,

I really appreciate all your help and work with this. I am tempted to do the steps you have suggested to see where it takes us, but I do not want to take any more of your time. We have decided to take the safe route and reformat the hard drive. One quick question - do you think such a backdoor trojan can or more importantly would access information in files (e.g. from :thumbup2: MS Outlook) or is it primarily just those that are entered in the browser. We have changed the passwords on some of our accounts but are not sure the extent to which we should do it. Thanks a million to you and your supervisors.

SR68

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:06 AM

Posted 30 April 2009 - 04:31 AM

Hi SR68,

Okay, that's your choice to reformat and, although it's the last resort, as you have been breached once by backdoor/trojans it is also the safest course of action. As I said, the cleaning of the PC does not guarantee that it will stay clean.

Backdoor trojans have almost no limit of capability so you should change all passwords that you have used on this computer.

Read this for more on this nasty malware here

Thanks for using Bleeping Computer, we appreciate your thanks..

Cheers,

m0le
Posted Image
m0le is a proud member of UNITE

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:06 AM

Posted 05 May 2009 - 06:09 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users