TechSpot

Stuck with Win 32 Heur and Trojan Horse Vundo

By rookiegeek
Jun 27, 2009
  1. Hi,
    My system's stuck wid win 32 heur, win 32 cryptor and Trojan Horse Vundo. Even after repeated heal and qurantine attempts by AVg 8.5, the problem stills persists.
    I have followed the "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" mentioned in one of the forums. I have attached the 3 logs from Malware, SuperAntiSpyware and Hijack This. Pls help me. I can see where this virus can take me. Although the consequences for now are limited to affecting the functioning of my IE. I wouldn't want to get to the hastier side of the matter. Pls let me know what can be done to handle this!

    Waiting for help...
    RookieGeek! :)
     
  2. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Hi, these are all still issues.

    Code:
    C:\WINDOWS\psvmon9.exe
    O2 - BHO: (no name) - {01DDF077-EC34-4C1C-9EE4-90B86F87694a} - C:\WINDOWS\system32\hnaaxxxc.dll
    O2 - BHO: (no name) - {6D282D2E-787B-42F1-A1B8-CDF9D06D1DA3} - c:\windows\system32\mplrgbh.dll
    O4 - HKLM\..\Run: [psvmon9] C:\WINDOWS\psvmon9.exe
    O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
    O20 - Winlogon Notify: zgwlcglg - C:\WINDOWS\SYSTEM32\mplrgbh.dll
    Would you please open up HJT, tick those entries, and click fix, making sure that all programs are closed?

    After that, download ComboFix. Download ComboFix from here, and save it to the Desktop. Now open notepad and paste the following into a document.

    Code:
    Killall::
    
    Snapshot::
    
    Folder::
    c:\progra~1\ThunMail
    
    File::
    C:\WINDOWS\psvmon9.exe
    C:\WINDOWS\system32\hnaaxxxc.dll
    c:\windows\system32\mplrgbh.dll
    Save this file onto your desktop too, as cfscript.txt. Then, drag it onto the cat icon, as shown below.

    [​IMG]

    Do not click on the ComboFix window whilst it runs, as it may stall. Once ComboFix is done, please upload the log.

    Thanks. :)
     
  3. rookiegeek

    rookiegeek TS Rookie Topic Starter

    Combofix log attached

    As per the instructions, the logs ready..
    If this info could help, before doing the comboFix, i ran Vundofix, its caought hold of a system file, but was unable to delete the same...

    will wait for what is to be done next.
    RookieGeek :)
     
  4. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Hi, which file did VundoFix catch a hold of?

    Also, would you please produce a fresh HJT scan? I forgot to mention, sorry. :)
     
  5. rookiegeek

    rookiegeek TS Rookie Topic Starter

    HijackThis logs Attached! Vondo says nuthn to fix! :D

    Hi der!
    VondoFix says nuthn to fix! No threat detected...
    and HijcThs logs attached....but i dont knw why AVG's still poppin up errors...
    i was not able to have a complete run, but i will have one now, and attach the errors...
    hopefully ill get rid of them as well!

    Whats next now?
    RookieGeek :)
     
  6. ChrisDown

    ChrisDown TS Rookie Posts: 125

    That HJT log looks clean, doesn't mean you're necessarily clean though.
     
  7. rookiegeek

    rookiegeek TS Rookie Topic Starter

    Avg catches errors... :(

    What do i do abt this now.... :(
    PFB jpeg file wid errors
     
  8. ChrisDown

    ChrisDown TS Rookie Posts: 125

    They're just tracking cookies (which whilst they should be removed, are not particularly serious). Are they the only issues remaining?
     
  9. rookiegeek

    rookiegeek TS Rookie Topic Starter

    Bad news!

    Now what does this mean? :(
    Jpeg AVG error Report attached
     
  10. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Qoobox\Quarantine is ComboFix's quarantine, IIRC.

    Start > Run > Type 'combofix /u' without the quotes. :)
     
  11. rookiegeek

    rookiegeek TS Rookie Topic Starter

    hmm...:)
    As you can see, i am a lil new to this, thanks for being so patient,
    so now i have to run combofix to? get things correct is it?
     
     
  12. ChrisDown

    ChrisDown TS Rookie Posts: 125

    No, /u uninstalls ComboFix and removes the quarantine (where the trojans were). Basically, the trojans were sent to a quarantine on your hard drive by ComboFix, but your antivirus didn't know this and still thought that they were threats. combofix /u removes it. :)
     
  13. rookiegeek

    rookiegeek TS Rookie Topic Starter

    okay...combofx is uninstalled! :D
    enlightened a lil late...and abt the tracking cookies, what can i do get rid of them as well?
     
  14. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Did AVG not remove them? If not, you can go to CCleaner and tick 'Cookies', then 'Run Cleaner'. You should have this from your 8 steps.
     
  15. rookiegeek

    rookiegeek TS Rookie Topic Starter

    Logically, if it does remove them, why is it that i see them every time i run a scan? :confused:
    Again, if theres some thing thats related to my weak brains, pls, more of enlightenment needed!:eek:
     
  16. ChrisDown

    ChrisDown TS Rookie Posts: 125

    You don't have weak brains, don't worry. We all have to start somewhere, and you don't seem that bad! :)

    If they are still there, I can get ComboFix to remove them for you. Would you like that?
     
  17. rookiegeek

    rookiegeek TS Rookie Topic Starter

    Thanks for the optimism! :D i do realise where i come from though...long way to go...:blackeye:
    yes offcourse! No red mark for me in my error report...hate it when i see that red ! mark
     
  18. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Okay, create a file called cfscript.txt again, with this in.

    Code:
    Killall::
    
    Snapshot::
    
    Folder::
    
    File::
    C:\Documents and Settings\ABCD\Application Data\Mozilla\Firefox\Profiles\eurzlmy3.default\cookies.sqlite
    This should remove it. Make sure Firefox is closed first! After this is all done, you should do 'combofix /u' again. :)
     
  19. rookiegeek

    rookiegeek TS Rookie Topic Starter

    Thanks a ton for the patience!Cannot appreciate it enuf! Thanks again....
     
  20. ChrisDown

    ChrisDown TS Rookie Posts: 125

    It's no problem. Any other issues, don't hesitate to ask. :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.