Vundo Trojan Infection

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

peterpancomplex

Thread Starter
Joined
Sep 16, 2008
Messages
1
Hello, I've tried alot to get rid of this and it's not working. By this i mean I've tried to use VundoFix - but it can't find the infected file(s) (I happen to know from my virusscanner which also cant remove it which file is the main one infected, i'll bolden it in the HJT log)

Naturally i tried manual deletion, with deleting tools which didn't work either.

Here is my HJT Log, followed by another log from a Vundo removal tool called VirtumondeBegone i think.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:13:34, on 16/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: {954f1a17-02cd-665a-8484-929a2bfcae19} - {91eacfb2-a929-4848-a566-dc2071a1f459} - C:\WINDOWS\system32\xgtrdn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} - C:\WINDOWS\system32\rqRJbyvu.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [3c600f30] rundll32.exe "C:\WINDOWS\system32\rhyasset.dll",b
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [BM3f533cac] Rundll32.exe "C:\WINDOWS\system32\txaujjtv.dll",s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\[email protected]\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: xgtrdn.dll
O20 - Winlogon Notify: rqRJbyvu - C:\WINDOWS\SYSTEM32\rqRJbyvu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

-----------

VBG Log:


[09/16/2008, 12:19:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Neal\Desktop\VirtumundoBeGone.exe" )
[09/16/2008, 12:19:13] - Detected System Information:
[09/16/2008, 12:19:13] - Windows Version: 5.1.2600, Service Pack 2
[09/16/2008, 12:19:13] - Current Username: Neal (Admin)
[09/16/2008, 12:19:13] - Windows is in NORMAL mode.
[09/16/2008, 12:19:13] - Searching for Browser Helper Objects:
[09/16/2008, 12:19:13] - BHO 1: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[09/16/2008, 12:19:13] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/16/2008, 12:19:13] - BHO 3: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[09/16/2008, 12:19:13] - BHO 4: {91eacfb2-a929-4848-a566-dc2071a1f459} ()
[09/16/2008, 12:19:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/16/2008, 12:19:13] - Checking for HKLM\...\Winlogon\Notify\xgtrdn
[09/16/2008, 12:19:13] - Key not found: HKLM\...\Winlogon\Notify\xgtrdn, continuing.
[09/16/2008, 12:19:13] - BHO 5: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[09/16/2008, 12:19:13] - BHO 6: {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} ()
[09/16/2008, 12:19:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/16/2008, 12:19:13] - Checking for HKLM\...\Winlogon\Notify\rqRJbyvu
[09/16/2008, 12:19:13] - Found: HKLM\...\Winlogon\Notify\rqRJbyvu - This is probably Virtumundo.
[09/16/2008, 12:19:13] - Assigning {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} MSEvents Object
[09/16/2008, 12:19:13] - BHO list has been changed! Starting over...
[09/16/2008, 12:19:13] - BHO 1: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[09/16/2008, 12:19:13] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/16/2008, 12:19:13] - BHO 3: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[09/16/2008, 12:19:13] - BHO 4: {91eacfb2-a929-4848-a566-dc2071a1f459} ()
[09/16/2008, 12:19:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/16/2008, 12:19:13] - Checking for HKLM\...\Winlogon\Notify\xgtrdn
[09/16/2008, 12:19:13] - Key not found: HKLM\...\Winlogon\Notify\xgtrdn, continuing.
[09/16/2008, 12:19:13] - BHO 5: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[09/16/2008, 12:19:13] - BHO 6: {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} (MSEvents Object)
[09/16/2008, 12:19:13] - ALERT: Found MSEvents Object!
[09/16/2008, 12:19:13] - Finished Searching Browser Helper Objects
[09/16/2008, 12:19:13] - *** Detected MSEvents Object
[09/16/2008, 12:19:13] - Trying to remove MSEvents Object...
[09/16/2008, 12:19:14] - Terminating Process: IEXPLORE.EXE
[09/16/2008, 12:19:14] - Terminating Process: RUNDLL32.EXE
[09/16/2008, 12:19:14] - Disabling Automatic Shell Restart
[09/16/2008, 12:19:14] - Terminating Process: EXPLORER.EXE
[09/16/2008, 12:19:14] - Suspending the NT Session Manager System Service
[09/16/2008, 12:19:14] - Terminating Windows NT Logon/Logoff Manager
[09/16/2008, 12:19:14] - Re-enabling Automatic Shell Restart
[09/16/2008, 12:19:14] - File to disable: C:\WINDOWS\system32\rqRJbyvu.dll
[09/16/2008, 12:19:14] - Renaming C:\WINDOWS\system32\rqRJbyvu.dll -> C:\WINDOWS\system32\rqRJbyvu.dll.vir
[09/16/2008, 12:19:14] - ! File rename was unsucessful.
[09/16/2008, 12:19:15] - Attempting to Deny Access to C:\WINDOWS\system32\rqRJbyvu.dll
[09/16/2008, 12:19:15] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[09/16/2008, 12:19:15] - processed file: C:\WINDOWS\system32\rqRJbyvu.dll


[09/16/2008, 12:19:15] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[09/16/2008, 12:19:15] - Removing HKLM\...\Browser Helper Objects\{C5E84927-CFF0-4CA3-A068-02E7C01C1E7C}
[09/16/2008, 12:19:15] - Removing HKCR\CLSID\{C5E84927-CFF0-4CA3-A068-02E7C01C1E7C}
[09/16/2008, 12:19:15] - Adding Kill Bit for ActiveX for GUID: {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C}
[09/16/2008, 12:19:16] - Deleting ATLEvents/MSEvents Registry entries
[09/16/2008, 12:19:16] - Removing HKLM\...\Winlogon\Notify\rqRJbyvu
[09/16/2008, 12:19:16] - Searching for Browser Helper Objects:
[09/16/2008, 12:19:16] - BHO 1: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[09/16/2008, 12:19:16] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/16/2008, 12:19:16] - BHO 3: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[09/16/2008, 12:19:16] - BHO 4: {91eacfb2-a929-4848-a566-dc2071a1f459} ()
[09/16/2008, 12:19:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/16/2008, 12:19:16] - Checking for HKLM\...\Winlogon\Notify\xgtrdn
[09/16/2008, 12:19:16] - Key not found: HKLM\...\Winlogon\Notify\xgtrdn, continuing.
[09/16/2008, 12:19:16] - BHO 5: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[09/16/2008, 12:19:16] - Finished Searching Browser Helper Objects
[09/16/2008, 12:19:16] - Finishing up...
[09/16/2008, 12:19:16] - A restart is needed.
[09/16/2008, 12:19:29] - Attempting to Restart via STOP error (Blue Screen!)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi, Welcome to TSG!!


Please update your version of HJT.
Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.


Visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top