Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo.H


  • This topic is locked This topic is locked
2 replies to this topic

#1 Mukwrm

Mukwrm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 25 May 2009 - 03:34 PM

Picked up a nasty virus yesterday. Took over whole system. Was unable to open any programs or execute any command. Ran Malwarebytes in safe mode which took out a big chunk of the problem and my system is usable again, but still have 4 files malwarebytes cannot remove. It puts them in the "remove on rebbot" folder but will not get rid of them. There is also a 5th file named Malware.Trace which remains, I dont know if that is related to the same issue. Location is My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\agprotect

As a rather annoying side note, this has also changed my internet settings somehow. My computer is online, but most programs will not connect. For example: Firefox and Itunes will not connect online, but Pokerstars will. So I will be bouncing back and forth burning cd's between two computers for any info and programs. Please take that in to account when giving instructions

Thanks in advance for any help. It's nice to see there are talented people out there using it for good, instead of destroying other peoples stuff.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Matt at 13:04:47.40 on Mon 05/25/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.742 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\jq9ktace.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\jq9ktace.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\jq9ktace.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cox.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
mSearchAssistant = hxxp://www.google.com/ie
BHO: : {27a21f42-b6f1-47ea-8dc2-067fa7975770} - c:\windows\system32\skjtvrx.dll
BHO: {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [<NO NAME>] c:\docume~1\matt\locals~1\temp\jq9ktace.exe
uRun: [nzdflkioezncfiunfindiuchiuenfcdc] c:\docume~1\matt\locals~1\temp\jq9ktace.exe
uRun: [A00F1D8EA6.exe] c:\docume~1\matt\locals~1\temp\_A00F1D8EA6.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Diagnostic Manager] c:\windows\temp\1220784550.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.19.0\gears.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: eebslokt - skjtvrx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\6j4tvoiu.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 babdtsbu;babdtsbu;c:\windows\system32\drivers\babdtsbu.sys [2004-8-4 23424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-10 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
S2 gupdate1c9c6ee3cd291de;Google Update Service (gupdate1c9c6ee3cd291de);c:\program files\google\update\GoogleUpdate.exe [2009-4-26 133104]

=============== Created Last 30 ================

2009-05-25 12:14 <DIR> --d----- C:\VundoFix Backups
2009-05-24 15:42 61,440 a------- c:\windows\system32\drivers\mofc.sys
2009-05-24 15:24 <DIR> --d----- c:\docume~1\matt\applic~1\qjxvzumx
2009-05-24 14:12 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes
2009-05-24 14:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-24 14:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-24 14:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-24 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-24 11:24 107,852 a------- c:\windows\system32\drivers\50639ee0.sys
2009-05-24 11:24 190,976 a------- C:\jotvxhh.exe
2009-05-24 10:44 70 a------- C:\xcrashdump.dat
2009-05-24 10:14 39,424 a------- C:\hcpjmkup.exe
2009-05-24 10:13 107,852 a------- c:\windows\system32\drivers\d02bed12.sys
2009-05-24 10:13 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-24 10:13 2 a------- C:\-57915603
2009-05-24 10:13 39,424 a------- C:\kortcale.exe
2009-05-24 10:12 16,896 a------- c:\windows\system32\SYSDLL.exe
2009-05-24 10:12 <DIR> --d----- c:\windows\system32\121973
2009-05-15 01:30 <DIR> --d----- c:\windows\system32\scripting
2009-05-15 01:30 <DIR> --d----- c:\windows\system32\en
2009-05-15 01:30 <DIR> --d----- c:\windows\system32\bits
2009-05-15 01:30 <DIR> --d----- c:\windows\l2schemas
2009-05-15 01:28 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-14 22:02 <DIR> --d----- c:\program files\World of Warcraft
2009-05-12 22:10 256 a------- c:\windows\_delis32.ini
2009-05-12 21:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-05-11 01:13 <DIR> --d----- c:\program files\common files\Blizzard Entertainment

==================== Find3M ====================

2009-05-24 10:13 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-05-15 01:32 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-21 22:28 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-21 22:27 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 13:05:26.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 03 June 2009 - 05:43 PM

Hello Mukwrm,

Since it has been a few days,
  • download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Select Files and Folders created in last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
    info.txt can also be found at c:\RSIT\info.txt
Also post the last Malwarebytes report so I can see what it found.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 16 June 2009 - 09:49 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users