TechSpot

Trojan Virus - Please Help (Log Attached)

By anon16
Jul 14, 2008
  1. Hi - I was an ***** and downloaded something I shouldn't have from a P2P program (I will never make that mistake again, I promise), but even though I scanned the file with AVG before hand, it didn't catch the virus until after it had spread to my computer. AVG and Dr Web Cure It both say it is "Trojan 32" (??) and I have run both programs continually (in addition to CC Cleaner and Ad-Aware) and they aren't much help in getting rid of it (the virus warning keeps popping up). Now when I open my Internet Explorer browser, it won't navigate anywhere and instead all of these annoying pop ups come on my screen. I have been able to use Yahoo browser, and ran Hijack This. Here is my report. TIA for any help you can provide. It is greatly greatly appreciated.
     
  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    You need to attach the log as a txt file not a doc for MS word
     
  3. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Sorry - here it is and thank you!
     
  4. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

  5. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    OK, I removed Norton (I think - I thought I had removed it before but hopefully this worked). AVG is popping up threat warnings every minute and so is Explorer. I was xing them out, but then I got a blue screen and my computer shut down, so I guess that wasn't the right thing to do???? Argh . . .
     
  6. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:43:40 PM, on 7/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Documents and Settings\Meredith\winlogon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\PicoZip\PicoZipTray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Hijackthis\HijackThis.exe
     
  7. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    testtesttesttest
     
  8. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070105
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: {c3c3c455-f906-127a-e524-73adbdd45990} - {09954ddb-da37-425e-a721-609f554c3c3c} - C:\WINDOWS\system32\xfzplr.dll
    O2 - BHO: (no name) - {107E3EF5-750A-42D6-B7F8-C91819C2025D} - C:\WINDOWS\system32\opnlKCSm.dll (file missing)
    O2 - BHO: (no name) - {3DFF2548-C0EB-421A-A8B8-FFF5A9D8E05A} - C:\WINDOWS\system32\urqoOeFW.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: (no name) - {B4977567-6B39-4AFA-9CD2-47A20209F5FE} - C:\WINDOWS\system32\byXpQjGW.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: (no name) - {ED71602F-B2F6-470F-943F-0DA300E034D8} - C:\WINDOWS\system32\mlJdBSLC.dll (file missing)
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Meredith\winlogon.exe
    O4 - HKLM\..\Run: [686b6d61] rundll32.exe "C:\WINDOWS\system32\lwucxdpn.dll",b
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179439834875
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: byXpQjGW - C:\WINDOWS\SYSTEM32\byXpQjGW.dll
    O20 - Winlogon Notify: mlJdBSLC - mlJdBSLC.dll (file missing)
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 11636 bytes
     
  9. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
    -------------------------------------------------------------------------------------------------------------------------

    ComboFix

    • Download ComboFix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  10. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Malwarebytes' Anti-Malware 1.20
    Database version: 949
    Windows 5.1.2600 Service Pack 2

    6:39:55 PM 7/14/2008
    mbam-log-7-14-2008 (18-39-55).txt

    Scan type: Quick Scan
    Objects scanned: 46239
    Time elapsed: 21 minute(s), 47 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 1
    Registry Keys Infected: 11
    Registry Values Infected: 3
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 18

    Memory Processes Infected:
    C:\Documents and Settings\Meredith\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\byXpQjGW.dll (Trojan.Vundo) -> Unloaded module successfully.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3dff2548-c0eb-421a-a8b8-fff5a9d8e05a} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{3dff2548-c0eb-421a-a8b8-fff5a9d8e05a} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{b4977567-6b39-4afa-9cd2-47a20209f5fe} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4977567-6b39-4afa-9cd2-47a20209f5fe} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxpqjgw (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\686b6d61 (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b4977567-6b39-4afa-9cd2-47a20209f5fe} (Trojan.Vundo) -> Delete on reboot.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqooefw -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqooefw -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\urqoOeFW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WFeOoqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WFeOoqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lwucxdpn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\npdxcuwl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Meredith\winlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nnNDVonl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\pmnLdEvs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\byXpQjGW.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\efcBrQKB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xxyvvuTj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xxyxYrOI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM6b585efd.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM6b585efd.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Meredith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor)
     
  11. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Combo Fix is attached.
     
  12. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Hijack This log is attached.

    Thank you so much for your fast replies. I really really appreciate all of your help.
     
  13. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    looking better

    Download & Install SDFix
    • Download SDFix & save it to your Desktop.
    • Double click SDFix.exe & it will extract the file to %systemdrive%
      (Drive that contains the Windows Directory, Typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer & start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, & then press Enter.

    Run SDFix
    • Open the extracted SDFix folder & double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on the screen & also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
    ------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please download VundoFix.exe
    to your desktop

    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click Yes
    • Once you click yes, your desktop will go blank as it starts removing the Vundo.
    • When completed, it will prompt that it will reboot your computer, click Ok
    • Please attach the C:\vundofix.txt & a new HijackThis log.

    Note: it is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." When VundoFix appears at reboot.
     
  14. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    SD Fix report
     
  15. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    This is what VundoFix gave me. While it was running, AVG was sending me "threat/virus detected" messages again saying that it had detected the Trojan virus (???).

    VundoFix V7.0.6

    Scan started at 7:46:36 PM 7/14/2008

    Listing files found while scanning....

    No infected files were found.
     
  16. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Newest Hijack This log. Thank you!!!!
     
  17. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    oh I forgot can you disable avg and any other protection you have while we fix your computer
     
  18. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Sorry - I did have AVG turned off until my computer restarted doing that first scan and I forgot to turn it off again. I just reran Vundo Fix and it again showed no infected files.

    I wasn't sure if I should re-run my Hijack log so I did to be safe and it is attached.

    Thanks!
     
  19. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Is there something else I should be doing??

    Thanks.
     
  20. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Yes but I can not reply as my modem blew up so I am waiting for my new one to get here. Right now I am typing from my phone. For now open MBAM and go to the quaranty and delete everything there then reboot and perform a virus scan in safe mode and post back with the results
     
  21. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    Sorry about your modem - thanks for e-mailing me back.

    Malwarebytes' Anti-Malware 1.20
    Database version: 949
    Windows 5.1.2600 Service Pack 2

    9:31:04 PM 7/15/2008
    mbam-log-7-15-2008 (21-31-04).txt

    Scan type: Quick Scan
    Objects scanned: 44517
    Time elapsed: 20 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  22. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    scan with AVG and post back the details
     
  23. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    I am not on my home computer, but my sister sent me the results of the scan. This is what she wrote, "4 files were "healed." 4 "threats," 4 "deleted." 3 of them started like this C:\Qoobox\Quarantine\C\Windows\system32 ... and one started like this C:\WINDOWS\system32\Olixds18\olixds102328." Is that what you need? Otherwise, I can write back when I get home from work tonight.

    Thanks again!
     
  24. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    can you post a fresh hijackthis log
     
  25. anon16

    anon16 TS Rookie Topic Starter Posts: 23

    My log is attached. Thanks again. I reaaly appreciate it.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...