Google redirect - Trojan.Vundo .log/.txt attatched

Inactive
By BeachJoshua
May 18, 2010
Topic Status:
Not open for further replies.
  1. I can't get rid of the Trojan.Vundo, which I believe is what's redirecting my google searches, the log files are attached.

    Thanks!

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
  3. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Okay, I've changed over to my laptop and the combo fix window is just sitting not doing anything, and it says "combofix is preparing to run"

    What do I do?
  4. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Stop Combofix.
    Delete your Combofix file. Download fresh one, but rename combofix.exe to broni.com BEFORE saving it to the desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run broni.com
  5. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Still doing the same thing, but I'm in safe mode, might that have anything to do with it? and I have to be in safe mode, or my comp INSTANTLY locks up.
  6. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.
  7. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Okay done.

    Attached Files:

    • mbr.log
      File size:
      195 bytes
      Views:
      1
  8. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Try to run rKill and broni.com from safe mode.
  9. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    okay Broni, I've tried that 5 times now, it's not working...
  10. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  11. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Now this ones even better, it immediately says "OTL has stopped working windows is checking for a solution to the problem."
     
  12. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Let's see, if we can look at your computer booting from an external source.

    You will need USB flash drive to move information from bad computer to a working computer.

    You need to download two programs.

    First

    ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

    Second

    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Reboot your system (Non working computer) using the boot CD you just created.
      • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
      • Under Custom Scan box paste this in:

        netsvcs
        %SYSTEMDRIVE%\*.exe
        /md5start
        eventlog.dll
        scecli.dll
        netlogon.dll
        cngaudit.dll
        sceclt.dll
        ntelogon.dll
        logevent.dll
        iaStor.sys
        nvstor.sys
        atapi.sys
        IdeChnDr.sys
        viasraid.sys
        AGP440.sys
        vaxscsi.sys
        nvatabus.sys
        viamraid.sys
        nvata.sys
        nvgts.sys
        iastorv.sys
        ViPrt.sys
        eNetHook.dll
        ahcix86.sys
        KR10N.sys
        nvstor32.sys
        ahcix86s.sys
        nvrd32.sys
        symmpi.sys
        adp3132.sys
        mv61xx.sys
        userinit.exe
        explorer.exe
        /md5stop
        %systemroot%\*. /mp /s
        %systemroot%\system32\*.dll /lockedfiles
        %systemroot%\Tasks\*.job /lockedfiles
        %systemroot%\system32\drivers\*.sys /lockedfiles
        %systemroot%\System32\config\*.sav
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.
  13. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Okay done.
    Feels good to make progress.

    Attached Files:

    • OTL.Txt
      File size:
      197.9 KB
      Views:
      1
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Broni, please be advised that this member has another open thread on what appears to be the same machine: It was started 6 days ago, my last reply was 4 days ago. The system belongs to his mother and he had a difficult time following my directions.

    http://www.techspot.com/vb/topic147052.html

    Specs on original thread:
    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by Administrator at 18:52:06.18 on Wed 05/12/2010
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_20
    Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1919.1118 [GMT -4:00]

    Specs on this thread:
    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by Administrator at 19:41:31.33 on Tue 05/18/2010
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16
    Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1919.1221 [GMT -4:00]

    Some of the previous scans he did could well be affecting his system. He left the thread.
  15. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    SRV - [2010/05/06 17:39:16 | 000,011,776 | ---- | M] () [Auto] -- C:\Windows\System32\mousenh32.exe -- (winbackupdumper-id1906Xv2Ej1zt)
    SRV - [2010/05/06 17:39:16 | 000,009,728 | ---- | M] () [Auto] -- C:\Windows\System32\wirepots.exe -- (acrosysbackup_ex06Xv2Ej1zt)
    O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (no name) - {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No CLSID value found.
    O4 - HKLM..\Run: [Acronis Toolbar Helper]  File not found
    O4 - HKLM..\Run: [vtuvstsys] C:\Windows\System32\bywuut.dll ()
    O4 - HKU\.DEFAULT..\Run: [opmnnnsys] C:\Windows\System32\bywuut.dll ()
    O4 - HKU\Administrator_ON_C..\Run: [ddbbyasys] C:\Windows\System32\bywuut.dll ()
    O4 - HKU\Administrator_ON_C..\Run: [Desktop Cleanup Wizard]  File not found
    O4 - HKU\Administrator_ON_C..\Run: [P2kAutostart]  File not found
    O4 - HKU\Administrator_ON_C..\Run: [winjwws92] C:\Users\Administrator\AppData\Roaming\winjwws92\winjwws93.exe File not found
    O4 - HKLM..\RunOnce: []  File not found
    O18 - Protocol\Handler\ipp - No CLSID value found
    O18 - Protocol\Handler\msdaipp - No CLSID value found
    O30 - LSA: Authentication Packages - (bywuut.dll) - C:\Windows\System32\bywuut.dll ()
    [2010/05/05 16:39:03 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\winjwws92
    [2010/05/17 08:50:30 | 000,089,600 | -H-- | M] () -- C:\Windows\System32\opmlif.dll
    [2010/05/06 17:39:16 | 000,037,888 | ---- | M] () -- C:\Windows\System32\wirepots.dll
    [2010/05/06 17:39:16 | 000,037,888 | ---- | M] () -- C:\Windows\System32\syspol32.dll
    [2010/05/06 17:39:16 | 000,037,888 | ---- | M] () -- C:\Windows\System32\b_syspol32.dll
    [2010/05/06 08:44:23 | 000,096,256 | -H-- | M] () -- C:\Windows\System32\rqppqq.dll
    [2010/04/05 20:32:22 | 000,000,080 | RHS- | C] () -- C:\Windows\System32\9129AF82DC.dll
    [2009/11/02 21:06:03 | 000,000,128 | ---- | C] () -- C:\Windows\System32\_WDYSZYG.sys
    
    
    :Services
    winbackupdumper-id1906Xv2Ej1zt
    acrosysbackup_ex06Xv2Ej1zt
    
    
    :Reg
    
    :Files
    C:\Windows\System32\mousenh32.exe
    C:\Windows\System32\wirepots.exe
    C:\Windows\System32\bywuut.dll
    C:\Users\Administrator\AppData\Roaming\winjwws92\winjwws93.exe
    
    
    :Commands
    [purity]
    [emptytemp]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.

    See, if you can run broni.com now.
  16. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Crap...I hate things like that. Do you want me to finish this thread, or do you want to continue in yours?
  17. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    I started a new one because I restored and redid the 8 step

    after running fix and rebooting, reboot on disk, or on safe mode, or normally?
  18. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Reboot normally.
  19. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Then, it'd be nice of you to post back in your old thread and let Bobbye know.
    We're nice to you, aren't we? :)
  20. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Indeed, you are very nice, you could have closed both my threads, and most likely banned me by now, and have me deal with the problems myself in which case I would reinstall windows, and go throught all sorts of stuff.

    I appologize for not posting on the first thread.

    and I went to Start > Shutdown > -dropdownbox- Restart > OK

    I can move my mouse, but I can't click anything and the screens opacity has gone lighter. Should I hit the reset button on the front of the case, and remove the disk when possible?
  21. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    Yes, you can remove disk at any time.
    Instead of restart, try to shut down your computer, wait a minute and then start it again.
  22. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Okay, and when I boot, how exactly do I go about getting the file you need?
  23. Broni

    Broni Malware Annihilator Posts: 46,339   +252

    When the scan was done (while still booted from the CD), it should have produced a log:
  24. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    It did not show a log, I looked for one, computer is now booted.

    Window named RunDLL popped up and says "Error loading bywuut.dll The specified module could not be found."
  25. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Will combofix reboot my computer? It said something about cd emulations running and said it needs to disable them I hit okay, and it shut down.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.