Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help I am infected with the Vundo trojan and quite possibly others

  • This topic is locked This topic is locked
5 replies to this topic

#1 Captain Crak

Captain Crak

  • Members
  • 2 posts
  • Local time:09:07 AM

Posted 25 April 2009 - 08:14 PM


A few days ago I was infected with the Vundo Trojan. I am not quite sure how I got it but it definitely is there. Yesterday my mom recieved an email from Time Warner saying that a computer from our IP adress sent out spam emails. None of us did it so obviously it was a virus. I have run 1 full scan and 2 quick scans with Malwarebytes, but it seems to be to no avail. The scans always turn up with "Trojan.Vundo" files. The computer is currently disconnected from the internet and I am posting this from my desktop downstairs. Please help!


-The first symptom I received was many ads for bogus antispyware programs popping up in Internet Explorer even though I was using Firefox. Malwarebytes seems to have gotten rid of these popups so this isn't really a problem anymore.

-My Symantec antivirus firewall and Windows firewall were both disabled along with Symantec virus protection and Windows virus protection. I have only been able to enable the Windows firewall after using Malwarebytes.

-Every time I turn on my computer an application error message comes up that states:

The instruction at "0x00656b8f" referenced memory at "0x0000000c". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program

It usually takes a couple clicks on the OK button before it goes away.

-After my desktop loads another message comes up saying:

Generic Host Process for Win32 Services encountered a problem and needed to close.

And then it gives me the option to send an error report.

DDS Log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by M Anatra-Cordone at 20:42:15.94 on Sat 04/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.408 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\M Anatra-Cordone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\M Anatra-Cordone\Application Data\pidle\pidle.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://ciscdb.sel.sony.com/perl/modelpage.pl?mdl=PCGK37
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: : {885d0c5e-8c1d-4b38-8600-9b367074bd79} - c:\windows\system32\pnhvzrm.dll
BHO: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: DF Bar: {67fcef90-073e-11de-8c30-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\m anatra-cordone\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [<NO NAME>] c:\docume~1\manatr~1\locals~1\temp\yfjqzf1x.exe
uRun: [pidle] "c:\documents and settings\m anatra-cordone\application data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [SfKg6wIPuSpdc] c:\documents and settings\m anatra-cordone\application data\microsoft\windows\hdrgj.exe
mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [HKSERV.EXE] c:\program files\sony\hotkey utility\HKserv.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Adobe Version Cue CS2] c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary
mRun: [ccApp] -
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
dRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
dRun: [reader_s] c:\documents and settings\m anatra-cordone\reader_s.exe
dRun: [<NO NAME>] c:\windows\temp\vnuoq7m.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [Windows Resurections] c:\windows\temp\vnuoq7m.exe
dRun: [Diagnostic Manager] c:\windows\temp\615920544.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: gqmaounw - pnhvzrm.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\manatr~1\applic~1\mozilla\firefox\profiles\kd51s5xv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\components\dfff.dll
FF - component: c:\program files\mozilla firefox\components\WWShow.dll
FF - plugin: c:\documents and settings\m anatra-cordone\local settings\application data\google\update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {9C58F758-8F10-4EBA-9960-7A17FDC8EA44} - c:\documents and settings\m anatra-cordone\local settings\application data\{9C58F758-8F10-4EBA-9960-7A17FDC8EA44}

============= SERVICES / DRIVERS ===============

R0 kgiwzyjb;kgiwzyjb;c:\windows\system32\drivers\kgiwzyjb.sys [2004-8-13 23424]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\program files\VCdRom.sys [2001-12-19 8576]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-24 256512]
R2 ggkojfgg;Microsoft ACPI Control Method Battery Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-13 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-24 45132]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k NetworkService [2004-8-13 14336]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\naveng.sys [2009-4-17 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\navex15.sys [2009-4-17 876144]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]
S4 SAVRT;SAVRT;- --> - [?]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2009-04-24 18:11 <DIR> --d----- c:\windows\dhcp
2009-04-24 18:10 <DIR> --dshr-- c:\program files\ThunMail
2009-04-23 23:31 <DIR> --d----- c:\program files\CCleaner
2009-04-23 23:14 155 a------- c:\windows\system32\SelfDel.bat
2009-04-23 23:13 108,032 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-23 19:21 <DIR> --d----- c:\docume~1\manatr~1\applic~1\Malwarebytes
2009-04-23 19:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-23 19:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 19:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-23 19:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-23 18:18 <DIR> --d----- c:\docume~1\manatr~1\applic~1\dsblzfij
2009-04-23 16:57 <DIR> --d----- c:\docume~1\manatr~1\applic~1\Twain
2009-04-23 16:42 65,536 a------- c:\windows\system32\ak1.exe
2009-04-23 16:39 51,120 a----r-- c:\windows\system32\drivers\hpzid412.sys.bak
2009-04-23 16:39 21,744 a----r-- c:\windows\system32\drivers\hpzius12.sys.bak
2009-04-23 16:39 16,496 a----r-- c:\windows\system32\drivers\hpzipr12.sys.bak
2009-04-21 23:38 31,232 a------- C:\jjomgvxe.exe
2009-04-21 23:38 578,560 a------- c:\windows\system32\iqbmlg
2009-04-21 23:38 <DIR> --d----- c:\docume~1\manatr~1\applic~1\pidle
2009-04-21 23:34 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-21 23:34 0 a------- c:\windows\mqcd.dbt
2009-04-21 23:34 86,268 a------- c:\windows\system32\drivers\a07c9af7.sys
2009-04-21 23:33 28,672 a------- c:\windows\system32\inqby.sr
2009-04-21 23:33 32,768 a------- c:\windows\system32\ferryl.cbv
2009-04-21 23:33 32,768 a------- c:\windows\system32\fairy.an
2009-04-21 23:33 28,672 a------- c:\windows\system32\dolman.zt
2009-04-21 23:33 79,360 a------- c:\windows\system32\ashl.nq
2009-04-21 23:33 43,520 a------- C:\mxntwq.exe
2009-04-21 23:33 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-21 23:33 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-21 23:33 2 a------- C:\1358766931
2009-04-21 23:32 290,304 a------- C:\yxly.exe
2009-04-21 23:32 15,000 a------- c:\windows\system32\hf873uwndf.dll
2009-04-21 23:32 69,632 a------- C:\kgayofb.exe
2009-04-18 14:03 91,136 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2009-04-18 14:03 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-04-18 14:03 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2009-04-18 14:03 91,136 a------- c:\windows\system32\kswdmcap.ax
2009-04-18 14:03 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-04-18 14:03 43,008 a------- c:\windows\system32\ksxbar.ax
2009-04-18 14:03 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2009-04-18 14:03 61,952 a------- c:\windows\system32\kstvtune.ax
2009-04-18 14:03 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-04-18 14:03 20,992 a------- c:\windows\system32\dshowext.ax
2009-04-15 17:00 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:00 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:00 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:00 248,320 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:00 131,072 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 17:00 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:00 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:00 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:00 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:56 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 16:56 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 16:56 236,032 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-23 17:38 74,752 a--sh--- c:\windows\system32\dagubawe.exe
2009-04-21 23:38 71,680 a--sh--- c:\windows\system32\woporuzo.exe
2009-04-21 23:38 80,896 a--sh--- c:\windows\system32\mipotera.dll
2009-04-21 23:38 74,752 a--sh--- c:\windows\system32\sekumeto.exe
2009-04-21 23:34 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-21 23:33 578,560 a------- c:\windows\system32\user32.DLL
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 55,808 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-03-26 03:10 12,843 a------- c:\program files\readme_1.txt
2008-03-09 03:46 353 ac------ c:\program files\INSTALL.LOG
2008-01-09 01:15 32 ac---r-- c:\documents and settings\all users\hash.dat
2006-03-21 10:43 0 ac------ c:\docume~1\manatr~1\applic~1\wklnhst.dat
2003-12-18 11:33 20,102 ac------ c:\program files\Readme.txt
2003-09-03 07:46 10,960 ac------ c:\program files\EULA.txt
2001-12-19 12:45 8,576 a------- c:\program files\VCdRom.sys
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 08:43 27,648 ---sh--- c:\windows\system32\Smab0.dll

============= FINISH: 20:44:48.16 ===============

Thank you for your help and I will be patient for a reply :thumbup2:

Attached Files

Edited by Captain Crak, 25 April 2009 - 08:19 PM.

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:07 AM

Posted 26 April 2009 - 01:42 PM


Unfortunately you have the file infector Virut infection. The only way to proceed is to Format the whole computer and start over.

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Captain Crak

Captain Crak
  • Topic Starter

  • Members
  • 2 posts
  • Local time:09:07 AM

Posted 26 April 2009 - 03:52 PM

Thank you for looking at my data.

Formatting seems like an okay thing to do to me because I don't really have anything important on the computer but I'm not quite sure how to do it :/.

Oh, okay I see the link in your response I will go read that link now thank you :thumbup2:.

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:07 AM

Posted 26 April 2009 - 04:11 PM


Oh, okay I see the link in your response I will go read that link now thank you

You're welcome.

Yes, the link is in the Format word: http://spyware-free.us/tutorials/reformat/

If you have any questions/problems on formatting you can start another topic over here.

Good luck!

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:07 AM

Posted 29 April 2009 - 02:21 PM


Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:07 AM

Posted 01 May 2009 - 02:16 PM


Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users