zipp Posted December 6, 2011 ID:501601 Share Posted December 6, 2011 I downloaded malewarebytes and it found something it calls "Trogan.Vundo". The first time I ran the scan it said it needed to restart the computer so I allowed it. The log says it was removed on reboot, but an additional scan came up with the same warning. (Trogan.Vundo) I researched what Vundo does but I don't experience many of the symptoms. Only a few of them and only rarely. I also have AVG, but it didn't pick up any virus at all when I ran it. Any help would be appreciated. Thanks.DDS - NotepadDDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.6001.18000Run by Debra Moore at 20:50:37 on 2011-12-05Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1014.118 [GMT -6:00].AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\PROGRA~1\AVG\AVG10\avgchsvx.exeC:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Files\ATK Hotkey\ASLDRSrv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG10\avgwdsvc.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\TOSHIBA\IVP\ISM\pinger.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k imgsvcc:\TOSHIBA\IVP\swupdate\swupdtmr.exeC:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exeC:\Windows\system32\TODDSrv.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\ATK Hotkey\Hcontrol.exeC:\Program Files\AVG\AVG10\avgnsx.exeC:\Program Files\AVG\AVG10\avgemcx.exeC:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\Program Files\ATK Hotkey\ATKOSD.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\AVG\AVG10\avgtray.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exeC:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\PROGRA~1\AVG\AVG10\avgrsx.exeC:\Program Files\AVG\AVG10\avgcsrvx.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.comuStart Page = hxxp://www.google.com/uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmlmStart Page = hxxp://www.yahoo.com/mDefault_Page_URL = hxxp://www.yahoo.com/mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.commSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.commSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmluInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comBHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No FileBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No FileuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [RtHDVCpl] RtHDVCpl.exemRun: [skytel] Skytel.exemRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hidemRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"mRun: [NDSTray.exe] NDSTray.exemRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exemRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silentdRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exeStartupFolder: c:\users\debram~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXEmPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.htmlIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLDPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabTCP: DhcpNameServer = 192.168.10.1TCP: Interfaces\{25210A3A-B07C-4A75-9FA4-11D35E1813D8} : DhcpNameServer = 209.55.5.10 209.55.5.11TCP: Interfaces\{68C9AEF7-F7E4-41A8-A3AD-187B98B441AD} : DhcpNameServer = 192.168.10.1Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dllNotify: igfxcui - igfxdev.dll.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 297168]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624].=============== Created Last 30 ================.2011-12-05 22:26:50 -------- d-----w- c:\users\debra moore\appdata\roaming\Malwarebytes2011-12-05 22:26:30 -------- d-----w- c:\programdata\Malwarebytes2011-12-05 22:26:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-12-05 22:26:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware.==================== Find3M ====================.2011-11-05 04:57:15 472808 ----a-w- c:\windows\system32\deployJava1.dll.============= FINISH: 20:52:34.86 ===============Attach - Notepad.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft® Windows Vista™ Home Basic Boot Device: \Device\HarddiskVolume2Install Date: 10/26/2007 9:00:04 AMSystem Uptime: 12/5/2011 4:52:11 PM (4 hours ago).Motherboard: TOSHIBA | | Satellite L45Processor: Intel® Pentium® Dual CPU T2310 @ 1.46GHz | Socket 478 | 1467/133mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 73 GiB total, 33.272 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP501: 11/22/2011 12:04:16 AM - Scheduled CheckpointRP502: 11/23/2011 12:00:06 AM - Scheduled CheckpointRP503: 11/23/2011 11:53:14 PM - Scheduled CheckpointRP504: 11/24/2011 9:06:28 PM - Scheduled CheckpointRP505: 11/26/2011 12:00:05 AM - Scheduled CheckpointRP506: 11/27/2011 12:00:09 AM - Scheduled CheckpointRP507: 11/28/2011 5:41:49 AM - Scheduled CheckpointRP508: 11/29/2011 12:14:24 AM - Scheduled CheckpointRP509: 11/30/2011 8:31:57 AM - Scheduled CheckpointRP510: 12/1/2011 12:00:09 AM - Scheduled CheckpointRP511: 12/2/2011 4:38:20 AM - Scheduled CheckpointRP512: 12/3/2011 12:00:10 AM - Scheduled CheckpointRP513: 12/4/2011 12:00:10 AM - Scheduled CheckpointRP514: 12/5/2011 6:43:21 PM - Scheduled Checkpoint.==== Installed Programs ======================.AccessibilityAdobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)Adobe Flash Player ActiveXAdobe Reader 8.1.2Adobe Reader 8.1.2 Security Update 1 (KB403742)Adobe Shockwave PlayerApple Mobile Device SupportApple Software UpdateATK HotkeyAVG 2011Command & Conquer 3Compatibility Pack for the 2007 Office systemDVD MovieFactory for TOSHIBAGoogle Toolbar for Internet ExplorerGoogle Update HelperHotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Intel® Graphics Media Accelerator DriverIntel® Matrix Storage ManagerJava Auto UpdaterJava 6 Update 29Java SE Runtime Environment 6LimeWire 4.18.6Malwarebytes' Anti-Malware version 1.51.2.1300Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft Office Excel MUI (English) 2007Microsoft Office Home and Student 2007Microsoft Office OneNote MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office PowerPoint Viewer 2007 (English)Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Word MUI (English) 2007Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft WorksMicrosoft XML ParserMSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 (KB941833)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)Norton Security ScanQuickBooks Financial CenterQuickTimeRealtek 8139 and 8139C+ Ethernet Network Card Driver for Windows VistaRealtek High Definition Audio DriverRICOH R5C83x/84x Media Driver Vista x86 Ver.3.33.03Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Windows Media Encoder (KB2447961)Security Update for Windows Media Encoder (KB954156)Security Update for Windows Media Encoder (KB979332)Solitaire 2 Special EditionSynaptics Pointing Device DriverTOSHIBA AssistTOSHIBA ConfigFreeTOSHIBA Disc CreatorTOSHIBA DVD PLAYERTOSHIBA Extended Tiles for Windows Mobility CenterTOSHIBA GamesToshiba RegistrationTOSHIBA SD Memory UtilitiesTOSHIBA Software ModemTOSHIBA Software UpgradesTOSHIBA Speech System ApplicationsTOSHIBA Speech System SR Engine(U.S.) Version1.0TOSHIBA Speech System TTS Engine(U.S.) Version1.0Update for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Office 2007 (KB934528)Update for Office System 2007 Setup (KB929722)Windows Media Encoder 9 Series.==== Event Viewer Messages From Past Week ========.12/4/2011 3:10:54 PM, Error: EventLog [6008] - The previous system shutdown at 3:10:01 PM on 12/4/2011 was unexpected.11/29/2011 3:52:02 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user DebraMoore-PC\sun SID (S-1-5-21-1879663015-1510288063-2667479256-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.11/29/2011 3:52:02 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {682159D9-C321-47CA-B3F1-30E36B2EC8B9} to the user DebraMoore-PC\sun SID (S-1-5-21-1879663015-1510288063-2667479256-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool..==== End Of File =========================== Link to post Share on other sites More sharing options...
Staff screen317 Posted December 12, 2011 Staff ID:504310 Share Posted December 12, 2011 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix When the tool is finished, it will produce a report for you.Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
zipp Posted December 13, 2011 Author ID:504735 Share Posted December 13, 2011 I ran MBAM and got a log. When I tried to run the ComboFix program the first time, it deleted itself. The second time I tried it got an error saying I couldnt extract certain files. Here's the MBAM scan, I'm trying to do the ComboFix one more time. If I get any other results I will post them, otherwise assume that I still could not get ComboFix to run on the computer plz.Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8323Windows 6.0.6001 Service Pack 1Internet Explorer 7.0.6001.1800012/13/2011 3:14:42 PMmbam-log-2011-12-13 (15-14-42).txtScan type: Quick scanObjects scanned: 122371Time elapsed: 5 minute(s), 24 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
zipp Posted December 13, 2011 Author ID:504739 Share Posted December 13, 2011 The error it's giving me for ComboFix is "C:\32788R22FWJFW\Boot.Bat". I get options to ignore, retry, and abort, however I it won't accept any option but abort. Link to post Share on other sites More sharing options...
Staff screen317 Posted December 19, 2011 Staff ID:506339 Share Posted December 19, 2011 Hi,Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet. Before you download it, rename it to sega.comPlease reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).Click Start --> Run, and enter this command exactly as shown:"%userprofile%\desktop\sega.com" /killall /nombrSee if it will run successfully now. Stop it after half an hour of no activity. Link to post Share on other sites More sharing options...
Staff screen317 Posted January 19, 2012 Staff ID:518314 Share Posted January 19, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts