Pending: AgentA and Vundo

Robbie93 · 04-21-2008

I have these two virus and i have used my anti virus to delete them but it doesn't seem to help. Any help would be greatly appreciated.

TR/Vundo.Gen [trojan]'
TR/Agent.afi.52

Thanks Robbie

D__ · 04-21-2008

HI Robbie, i suggest you follow the "Prework" instructions in my signature and post back with the relevant logs, this will enable our security team to help you

D

Robbie93 · 04-21-2008

What about sections 1 and 2 it says only up to OS XP i'm using vista

Robbie

D__ · 04-21-2008

For Vista

1.
1. Click the start
2. Click Control Panel
3. Click Folder Options
4. Click the View tab
5. Click Show hidden files and folders
6. If you want to see system files as well, unclick Hide protected operating system files (Recommended)
7. Click OK

2.
To disable the System Restore feature:

Click on the Start button.
Hover over the Computer option, right click on it and then click Properties.
On the left hand side, click Advanced Settings.
If asked to permit the action, click on Allow.
Click on the System Protection tab.
Uncheck any checkboxes listed for your hard drives.
Press OK.

Robbie93 · 04-21-2008

Thanks dude will get back to you asap. Most appreciated.

Robbie

D__ · 04-21-2008

You are very welcome

Robbie93 · 04-22-2008

All Logs as requested.

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 14:59:30 22/04/2008
+ Scan result:

C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@adtech[1].txt -> TrackingCookie.Adtech : No action taken.
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.

::Report end

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
Generated 04/22/2008 at 03:22 PM
Application Version : 4.0.1154
Core Rules Database Version : 3392
Trace Rules Database Version: 1384
Scan type : Complete Scan
Total Scan Time : 00:20:11
Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 4627
Registry threats detected : 0
File items scanned : 24548
File threats detected : 1
Adware.Tracking Cookie
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@ads.devotii[1].txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:09:33, on 22/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Andrew\AppData\Local\Temp\tuvTkJyY.dll,#1
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Andrew\AppData\Local\Temp\opnmKDUo.dll,c
O4 - HKCU\..\Run: [BM77f2397b] Rundll32.exe "C:\Users\Andrew\AppData\Local\Temp\ohhemiaj.dll", s
O4 - HKCU\..\Run: [74c10ae7] rundll32.exe "C:\Users\Andrew\AppData\Local\Temp\fqljivii.dll", b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
--
End of file - 4856 bytes

At the moment the TR\Vundo.gen trojan horse appears at random intervals and when it does it is three fold.

Yours Robbie

04-21-2008	#2
D__ Elite Member Join Date: Oct 2007 Location: Isle Of Wight Posts: 1,109 PC Experience: Some Experience	Re: AgentA and Vundo HI Robbie, i suggest you follow the "Prework" instructions in my signature and post back with the relevant logs, this will enable our security team to help you D __________________ Dave PREWORK - RULES

04-21-2008	#3
Robbie93 Bronze Member Join Date: Apr 2008 Posts: 44 PC Experience: Hardware more than software	Re: AgentA and Vundo What about sections 1 and 2 it says only up to OS XP i'm using vista Robbie

04-21-2008	#4
D__ Elite Member Join Date: Oct 2007 Location: Isle Of Wight Posts: 1,109 PC Experience: Some Experience	Re: AgentA and Vundo For Vista 1. 1. Click the start 2. Click Control Panel 3. Click Folder Options 4. Click the View tab 5. Click Show hidden files and folders 6. If you want to see system files as well, unclick Hide protected operating system files (Recommended) 7. Click OK 2. To disable the System Restore feature: Click on the Start button. Hover over the Computer option, right click on it and then click Properties. On the left hand side, click Advanced Settings. If asked to permit the action, click on Allow. Click on the System Protection tab. Uncheck any checkboxes listed for your hard drives. Press OK. __________________ Dave PREWORK - RULES Last edited by D__; 04-21-2008 at 08:45 PM.

04-21-2008	#5
Robbie93 Bronze Member Join Date: Apr 2008 Posts: 44 PC Experience: Hardware more than software	Re: AgentA and Vundo Thanks dude will get back to you asap. Most appreciated. Robbie

04-21-2008	#6
D__ Elite Member Join Date: Oct 2007 Location: Isle Of Wight Posts: 1,109 PC Experience: Some Experience	Re: AgentA and Vundo You are very welcome __________________ Dave PREWORK - RULES

04-21-2008	#1
Robbie93 Bronze Member Join Date: Apr 2008 Posts: 44 PC Experience: Hardware more than software	AgentA and Vundo I have these two virus and i have used my anti virus to delete them but it doesn't seem to help. Any help would be greatly appreciated. TR/Vundo.Gen [trojan]' TR/Agent.afi.52 Thanks Robbie Last edited by Robbie93; 04-21-2008 at 08:32 PM. Reason: new info

04-22-2008	#7
Robbie93 Bronze Member Join Date: Apr 2008 Posts: 44 PC Experience: Hardware more than software	Re: AgentA and Vundo All Logs as requested. -------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 14:59:30 22/04/2008 + Scan result: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@adtech[1].txt -> TrackingCookie.Adtech : No action taken. C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken. C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken. C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken. C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken. ::Report end SUPERAntiSpyware Scan Log SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware! Generated 04/22/2008 at 03:22 PM Application Version : 4.0.1154 Core Rules Database Version : 3392 Trace Rules Database Version: 1384 Scan type : Complete Scan Total Scan Time : 00:20:11 Memory items scanned : 255 Memory threats detected : 0 Registry items scanned : 4627 Registry threats detected : 0 File items scanned : 24548 File threats detected : 1 Adware.Tracking Cookie C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\ Cookies\Low\andrew@ads.devotii[1].txt Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:09:33, on 22/04/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\rundll32.exe C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Steam\Steam.exe C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE C:\Windows\System32\rundll32.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Andrew\AppData\Local\Temp\tuvTkJyY.dll,#1 O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Andrew\AppData\Local\Temp\opnmKDUo.dll,c O4 - HKCU\..\Run: [BM77f2397b] Rundll32.exe "C:\Users\Andrew\AppData\Local\Temp\ohhemiaj.dll", s O4 - HKCU\..\Run: [74c10ae7] rundll32.exe "C:\Users\Andrew\AppData\Local\Temp\fqljivii.dll", b O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O13 - Gopher Prefix: O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe -- End of file - 4856 bytes At the moment the TR\Vundo.gen trojan horse appears at random intervals and when it does it is three fold. Yours Robbie

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Vundo 11 Please help	cocotinker	[Fixed] Hijackthis! Logs	7	04-13-2009 12:02 AM
Pending: Got Vundo	nick7272	[Pending] HJT Logs	2	04-02-2009 11:35 PM
Fixed: Vundo: Is it really gone?	bivegan	[Fixed] Hijackthis! Logs	2	05-28-2008 01:44 AM
Fixed: Got hit with vundo.....	D__	[Fixed] Hijackthis! Logs	4	05-20-2008 03:38 PM
Help with Vundo	Spliefer	Anti-Virus	3	03-12-2008 03:11 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode