Google redirect - Trojan.Vundo .log/.txt attatched

Inactive
By BeachJoshua
May 18, 2010
Topic Status:
Not open for further replies.
  1. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    It's not working...
  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    See, if you can run OTL (my post #10).
  3. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    I've got it running fine off of a flash drive, is that fine?
  4. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    I'd rather like to see, if you can copy it to your desktop and run it from there.
  5. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Maybe I should start just moving files from this laptop on the drive to the desktop then run them...

    Because it's running fine...
  6. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    I'm not sure what you're saying....
  7. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Use the good computer to download programs put them on flash drive move from flash drive to desktop of bad computer then run program...

    it's done! uploading file in a min..
  8. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    I see.......
  9. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Those what you need?

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Yep, let me take a look...
  11. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] --  -- (winbackupdumper-id1906Xv2Ej1zt)
      SRV - File not found [Auto | Stopped] --  -- (acrosysbackup_ex06Xv2Ej1zt)
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No CLSID value found.
      O4 - HKLM..\Run: [Acronis Toolbar Helper]  File not found
      O4 - HKLM..\Run: [vtuvstsys]  File not found
      O4 - HKCU..\Run: [ddbbyasys]  File not found
      O4 - HKCU..\Run: [Desktop Cleanup Wizard]  File not found
      O4 - HKCU..\Run: [P2kAutostart]  File not found
      O4 - HKCU..\Run: [winjwws92] C:\Users\Administrator\AppData\Roaming\winjwws92\winjwws93.exe File not found
      O4 - HKLM..\RunOnce: []  File not found
      O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -Mozilla\5.0 ( File not found
      O30 - LSA: Authentication Packages - (bywuut.dll) -  File not found
      O33 - MountPoints2\{56614c7d-5f00-11df-88cb-806e6f6e6963}\Shell\AutoRun\command - "" = E:\hbcd\wintools\autorun.exe -- File not found
      O33 - MountPoints2\{56614c7d-5f00-11df-88cb-806e6f6e6963}\Shell\Option1\Command - "" = E:\hbcd\wintools\autorun.exe -- File not found
      [2010/05/06 17:39:16 | 000,037,888 | ---- | M] () -- C:\Windows\System32\b_syspol32.dll
      [2010/05/05 16:39:03 | 000,000,002 | ---- | M] () -- C:\Users\Administrator\tenmy.ini
      [2010/05/05 16:38:58 | 000,372,061 | ---- | M] () -- C:\Users\Administrator\winjwws93.exe
      [2010/05/05 16:38:56 | 000,145,920 | ---- | M] () -- C:\Users\Administrator\pod932.exe
      @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      
      :Services
      winbackupdumper-id1906Xv2Ej1zt
      acrosysbackup_ex06Xv2Ej1zt
      
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  12. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    boot in normal mode?
  13. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    If you can, yes.
     
  14. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    It ran fine in normal mode, here are the logs.

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    It looks much better :)

    Now, delete broni.com, download fresh copy of Combofix, rename it again to broni.com and see, if it'll run.
  16. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Can I shutdown and do this tomorrow?
  17. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    By all means ...
    I don't consider yourself as my prisoner....LOL
  18. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    I can't run broni.com in normal or safemode still...
  19. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    What does exactly happen?
  20. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Stats... I click yes... it prepares to run the bars cross disapear... then it sits... for up to 30 minutes I;'ve let it sit
  21. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Do you want me to use hypercam and video it? and upload it to youtube?
  22. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    Just ran malwarebytes in normal mode, it's showing the vundo in 2 registry entries as opposed to the normal three, do you want the log from this?

    EDIT: and should I remove it?
  23. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Hold on...
  24. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Run those fixes through MBAM. Post the log.

    Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • [*]Drivers
        [*]Files
        [*]Processes
        [*]SSDT
        [*]Stealth Objects
        [*]Hidden Services
    • Click the OK button
    • In the next dialog, select all drives showing
    • Click OK to start the scan
      Note: The scan can take some time. DO NOT run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program
    Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

    If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

    ==================================================================

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
  25. BeachJoshua

    BeachJoshua Newcomer, in training Topic Starter Posts: 49

    I'm re installing windows.

    I have my drive backed up on an external as an image, so if I mess things up, I might be back.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.