Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » vundo trojan

[Fixed] Hijackthis! Logs - vundo trojan posted in the Security & Safety forums; Hey My son's computer has a recurring trojan: vundo@dll and it says its in windows/system32. It comes up like maybe every hour or so, I'm not really sure, but I ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 05-27-2008
fay's Avatar
fay fay is offline
Silver Member
My PC
 
Join Date: Apr 2006
Location: Simi Valley, CA
Posts: 126
PC Experience: Some Experience
fay - See this Members User comments on their Profile page
Send a message via MSN to fay Send a message via Yahoo to fay Send a message via Skype™ to fay
Question vundo trojan
Hey
My son's computer has a recurring trojan: vundo@dll and it says its in windows/system32. It comes up like maybe every hour or so, I'm not really sure, but I did the prework
The AVG wouldn't let me save a log file. I ran it in safe mode and the save report was grayed out, but all it found was tracking cookies. Before I came here, I wanted to see if I could fix it myself, so I searched on the internet how to rid pc of vundo trojan and downloaded vundo fix, but it didn't find anything. And the trojan is still on the pc.


Thanks
Fay
Attached Files
File Type: txt hijackthis052608.txt (7.8 KB, 2 views)
File Type: log SUPERAntiSpyware Scan Log - 05-26-2008 - 19-06-49.log (14.6 KB, 1 views)


  #2  
Old 05-27-2008
madmatt2006's Avatar
PC Dinosaur
  
Join Date: Dec 2006
Location: Shepparton
Posts: 2,591
PC Experience: Elite PC Guru
madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page madmatt2006 - See this Members User comments on their Profile page
Default Re: vundo trojan
Hi Fay one of our security staff should be online soon to have a look for you.
  #3  
Old 05-28-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,977
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: vundo trojan
Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix
When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
=======================================
Please download SDFix from here and save it to your desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #4  
Old 05-28-2008
fay's Avatar
fay fay is offline
Silver Member
My PC
 
Join Date: Apr 2006
Location: Simi Valley, CA
Posts: 126
PC Experience: Some Experience
fay - See this Members User comments on their Profile page
Send a message via MSN to fay Send a message via Yahoo to fay Send a message via Skype™ to fay
Default Re: vundo trojan
Here are the log files: I tried to just copy and paste but my stupid mouse (usb) just wouldn't let me. I hope I did the SDFix right.


ComboFix 08-05-27.4 - Parent 2008-05-28 10:33:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.336 [GMT -7:00]
Running from: C:\Documents and Settings\Parent\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Parent\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Helper
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\bqahxwxq.ini
C:\WINDOWS\system32\GgQYbccf.ini
C:\WINDOWS\system32\GgQYbccf.ini2
C:\WINDOWS\system32\hckavqre.ini
C:\WINDOWS\system32\jswqxdsh.ini
C:\WINDOWS\system32\kkbicnnp.ini
C:\WINDOWS\system32\ltlrwdkv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sBaKUtwa.ini
C:\WINDOWS\system32\sBaKUtwa.ini2
C:\WINDOWS\system32\scxiqjrj.ini
C:\WINDOWS\system32\WyFgfMoq.ini
C:\WINDOWS\system32\WyFgfMoq.ini2
C:\WINDOWS\system32\xmkvhbky.ini
C:\WINDOWS\system32\yrilcfwp.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.
2008-05-28 00:37 . 2008-05-28 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-27 17:27 . 2008-05-27 17:27 <DIR> d-------- C:\Program Files\SceneCaster
2008-05-27 08:56 . 2008-05-27 08:56 <DIR> d-------- C:\Program Files\WackyB_Yahoo_Sounds_Toggle
2008-05-26 13:39 . 2008-05-26 13:39 <DIR> d-------- C:\Documents and Settings\Parent\Application Data\Grisoft
2008-05-26 13:39 . 2008-05-26 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-26 13:39 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-26 13:36 . 2008-05-26 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-26 13:35 . 2008-05-26 13:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-26 13:35 . 2008-05-26 13:35 <DIR> d-------- C:\Documents and Settings\Parent\Application Data\SUPERAntiSpyware.com
2008-05-26 13:34 . 2008-05-26 13:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 19:49 . 2008-05-25 20:10 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-25 19:42 . 2008-05-25 19:46 <DIR> d-------- C:\Program Files\EvilLyrics
2008-05-24 11:38 . 2008-05-24 11:38 <DIR> d-------- C:\VundoFix Backups
2008-05-24 06:13 . 2008-05-24 06:12 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-24 06:12 . 2008-05-24 06:28 <DIR> d-------- C:\Documents and Settings\Parent\.housecall6.6
2008-05-24 06:05 . 2008-05-24 06:05 <DIR> d-------- C:\Program Files\Panda Security
2008-05-23 15:21 . 2008-05-23 15:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 17:01 . 2008-05-20 17:02 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 14:53 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-05-18 14:53 . 2001-08-17 22:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-05-18 14:53 . 2001-08-17 22:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-05-18 14:53 . 2001-08-17 22:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-05-18 14:53 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-05-18 14:53 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-05-14 15:35 . 2008-05-14 15:35 <DIR> d-------- C:\FFOTWServlet_files
2008-05-14 15:35 . 2008-05-14 15:35 12,143 --a------ C:\FFOTWServlet.htm
2008-05-12 14:08 . 2008-05-12 14:08 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-05-12 14:06 . 2008-05-12 14:06 <DIR> d-------- C:\Program Files\NCBuy
2008-05-12 14:06 . 2008-05-12 14:06 993,360 --a------ C:\WINDOWS\Don't Touch My Computer 2.scr
2008-05-12 14:06 . 2008-05-12 14:06 45,056 --a------ C:\WINDOWS\NCUNINST.EXe
2008-05-12 14:06 . 2008-05-12 14:06 40,960 --a------ C:\WINDOWS\NCLAUNCH.EXe
2008-05-12 13:37 . 2008-05-12 13:37 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-05-12 13:36 . 2008-05-12 13:36 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-08 20:52 . 2008-05-08 20:52 <DIR> d-------- C:\Program Files\Veoh Networks
2008-05-08 01:08 . 2008-05-08 01:08 <DIR> d-------- C:\angel fay.cfm_files
2008-05-08 01:08 . 2008-05-08 01:08 26,383 --a------ C:\angel fay.cfm.htm
2008-05-07 19:40 . 2008-05-07 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-06 22:50 . 2008-05-11 17:35 <DIR> d-------- C:\Documents and Settings\Parent\Application Data\U3
2008-05-04 15:13 . 2008-05-04 15:13 <DIR> d-------- C:\Program Files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-28 17:38 --------- d-----w C:\Program Files\Google
2008-05-28 11:14 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-28 05:48 --------- d-----w C:\Documents and Settings\Parent\Application Data\SiteAdvisor
2008-05-12 20:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 03:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 02:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-08 02:02 --------- d-----w C:\Documents and Settings\Parent\Application Data\LimeWire
2008-05-04 22:13 --------- d-----w C:\Program Files\Common Files\Real
2008-02-23 23:08 5,980 -c--a-w C:\Program Files\install.log
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AEC0D5C-D63C-4915-A3F8-E5810B30FDDC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BEF1553-0EDC-4265-9890-803546878730}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{617CE31F-8AB3-49BD-945F-9891B6B59AFA}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E43DF63-3FC4-4F7E-BBE2-FC4B5BBE10C1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{942A2AD9-70A6-4555-B2E2-5265C501AC3C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC278C66-AF96-4DD5-903B-60A5FEF847EE}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 05:00 15360]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2008-05-12 14:06 40960]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 16:27 9117696]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-04-25 00:37 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 12:58 118784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-06-16 06:03 221184]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 15:11 185896]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 16:27 9117696]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5c7ef66e]
C:\WINDOWS\system32\pwfcliry.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2006-05-24 11:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-04 15:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-15 16:16]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 14:47]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ad997530-dcbc-11dc-bb53-000d60a85c26}]
\Shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b1f93a1f-f3df-11db-93fc-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c47b830b-19e5-11dc-856c-806d6172696f}]
\Shell\AutoRun\command - D:\ltree\autorun\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{dc2793ee-1a48-11dd-bb95-000d60a85c26}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 10:40:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\verclsid.exe
.
************************************************** ************************
.
Completion time: 2008-05-28 10:47:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-28 17:46:49
Pre-Run: 15,735,713,792 bytes free
Post-Run: 15,693,459,456 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
193 --- E O F --- 2008-05-21 03:40:50


===================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:17 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3AEC0D5C-D63C-4915-A3F8-E5810B30FDDC} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5BEF1553-0EDC-4265-9890-803546878730} - (no file)
O2 - BHO: (no name) - {617CE31F-8AB3-49BD-945F-9891B6B59AFA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E43DF63-3FC4-4F7E-BBE2-FC4B5BBE10C1} - (no file)
O2 - BHO: (no name) - {942A2AD9-70A6-4555-B2E2-5265C501AC3C} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {FC278C66-AF96-4DD5-903B-60A5FEF847EE} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.k12.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179532768078
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
--
End of file - 8001 bytes
Attached Files
File Type: txt ComboFix.txt (12.9 KB, 1 views)
File Type: txt Report.txt (251 Bytes, 0 views)
File Type: txt hijackthis052808.txt (7.8 KB, 1 views)


Last edited by Pancake; 05-28-2008 at 11:41 PM. Reason: Copied and pasted for better viewing....
  #5  
Old 05-28-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,977
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: vundo trojan
This should finish the cleanup....

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: (no name) - {3AEC0D5C-D63C-4915-A3F8-E5810B30FDDC} - (no file)
O2 - BHO: (no name) - {5BEF1553-0EDC-4265-9890-803546878730} - (no file)
O2 - BHO: (no name) - {617CE31F-8AB3-49BD-945F-9891B6B59AFA} - (no file)
O2 - BHO: (no name) - {7E43DF63-3FC4-4F7E-BBE2-FC4B5BBE10C1} - (no file)
O2 - BHO: (no name) - {942A2AD9-70A6-4555-B2E2-5265C501AC3C} - (no file)
O2 - BHO: (no name) - {FC278C66-AF96-4DD5-903B-60A5FEF847EE} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

=============================
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Killall::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AEC0D5C-D63C-4915-A3F8-E5810B30FDDC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BEF1553-0EDC-4265-9890-803546878730}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{617CE31F-8AB3-49BD-945F-9891B6B59AFA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E43DF63-3FC4-4F7E-BBE2-FC4B5BBE10C1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{942A2AD9-70A6-4555-B2E2-5265C501AC3C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC278C66-AF96-4DD5-903B-60A5FEF847EE}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5c7ef66e]
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #6  
Old 05-29-2008
fay's Avatar
fay fay is offline
Silver Member
My PC
 
Join Date: Apr 2006
Location: Simi Valley, CA
Posts: 126
PC Experience: Some Experience
fay - See this Members User comments on their Profile page
Send a message via MSN to fay Send a message via Yahoo to fay Send a message via Skype™ to fay
Post Re: vundo trojan
combo fix again and new hijackthis log

i see the logs copied and pasted before....huh...thats weird cos i sent attachments
how did that happen?
Attached Files
File Type: txt hijackthis052808b.txt (7.3 KB, 1 views)
File Type: txt ComboFix.txt (13.7 KB, 1 views)



Reply
Satellite TV on your PC - over 3000 Channels! Click Here!
Page 1 of 2 1 2 >

Bookmarks

« Password Finder | First time using HijackThis. Log inside! »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On