Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan Vundo.H

  • This topic is locked This topic is locked
2 replies to this topic

#1 asteocles


  • Members
  • 2 posts
  • Local time:01:22 PM

Posted 06 July 2010 - 12:03 PM

The initial symptoms on this machine were the usual pop ups etc. The pop ups etc have disappeared, but when I run a Malwarebytes scan, it still picks up 6 or 7 files it cannot delete. I've tried some other programs and some things I found on other forum posts here, but nothing seems to remove these files. It also won't let me manually delete them. I assume it's bad to have them on the machine even if there's no noticeable problems. We use some secure login sites for when we travel and the only lingering thing that isn't working since I got this infection is my access through those portals. could be a coincidence, but everytime I log into an HTTPS site the page loads and then goes to the "Cannot display this webpage" screen. Can't say for sure it's related, but my accounts work fine on other machines. Any help would be appreciated. I follow the general Prep guide steps so I'm pasting the log info below. Thanks.

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by master at 10:27:36.96 on Tue 07/06/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1710 [GMT -4:00]

AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
D:\virus and malware tools\dds.scr

============== Pseudo HJT Report ===============

BHO: {748dba97-5060-4a1b-ab4b-c0a7a482caa0} - c:\windows\system32\bjtdlei.dll
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SgeEcView] "c:\program files\utimaco\safeguard easy\Ecview.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [EdWizard] "c:\program files\utimaco\safeguard easy\EdWizard.exe" as
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [CstlFaxTray] c:\program files\castelle\faxpress plus\\FaxTray.exe
mRun: [Client Access Service] "e:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "e:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Express Welcome] "e:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [Client Access Check Version] "e:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [BelNotify] c:\windows\system32\rundll32.exe c:\progra~1\belarc\advisor\system\NPBelv32.dll,RunDll32_BelNotify
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128953766853
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://home.pmslic.com/dana-cached/sc/JuniperSetupClient.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NotLog - SGLogEx.dll
Notify: SGLogNotification - SGLogNotification.dll
Notify: ydmplwqy - bjtdlei.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [2007-9-5 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2007-9-5 62720]
R0 wnhrorba;wnhrorba;c:\windows\system32\drivers\wnhrorba.sys [2004-8-4 23424]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2009-11-12 132392]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2006-4-14 203552]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);e:\program files\microsoft sql server\mssql.4\reporting services\reportserver\bin\ReportingServicesService.exe [2006-4-14 14624]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
S3 MSSQL$DHOUSEKNECHT;MSSQL$DHOUSEKNECHT;e:\progra~1\micros~3\mssql$~1\binn\sqlservr.exe -sdhouseknecht --> e:\progra~1\micros~3\mssql$~1\binn\sqlservr.exe -sDHOUSEKNECHT [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-5-24 29584]
S3 SASENUM;SASENUM;\??\c:\docume~1\dah932\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\dah932\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 SQLAgent$DHOUSEKNECHT;SQLAgent$DHOUSEKNECHT;e:\progra~1\micros~3\mssql$~1\binn\sqlagent.exe -i dhouseknecht --> e:\progra~1\micros~3\mssql$~1\binn\sqlagent.exe -i DHOUSEKNECHT [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2010-07-06 14:26:30 0 ----a-w- c:\documents and settings\master\defogger_reenable
2010-07-02 18:57:17 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-02 18:33:08 0 d-----w- c:\program files\CCleaner
2010-07-02 15:44:09 0 d-----w- c:\docume~1\master\applic~1\SUPERAntiSpyware.com
2010-07-02 15:00:34 54016 ----a-w- c:\windows\system32\drivers\ctml.sys
2010-07-01 17:08:50 0 d-----w- c:\docume~1\master\applic~1\Malwarebytes
2010-07-01 14:12:08 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll
2010-07-01 14:11:53 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll

==================== Find3M ====================

2010-05-25 13:07:25 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-12 17:08:38 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-22 19:39:33 2048 ----a-w- c:\windows\system32\SGSAL.DAT
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 10:30:26.93 ===============

Attached Files

BC AdBot (Login to Remove)


#2 asteocles

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:22 PM

Posted 08 July 2010 - 09:56 AM

It looks like I got it cleared with Combofix and CCleaner. Through some trial and error I got it sorted and was able to remove the files. and my other issue with secure logins was unrelated, it was an issue with something else. So this has been resolved.

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:03:22 AM

Posted 08 July 2010 - 06:03 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users