Jump to content

Vundo.H registry values and Trojan. Agent registry keys reappear

Recommended Posts

I've posted recently on MajorGeeks.com about this issue, I am still being instructed for a cleaning process on their forum, but I saw a few posts in this forum with the almost same problem I had, so I decided to post here as well. Malwarebytes is also the only software detecting these Vundo.H registry values and Trojan.Agent keys.

When I originally posted on Mcafee forums, I was eventually instructed to boot from Windows CD and delete the ddrawexk.dll, which was a trojan on my system. Removal of that file enabled me to access the Internet again and solved all symptoms of the malware. For further instructions, they suggested that I post on other forums such as majorgeeks.com and yours.

I followed the instructions at MajorGeeks.com and installed the latest version of Java 6 with update 11. I also recently uninstalled Adobe Acrobat 7.0 after reading your suggestion to some other people on this forum.

Currently, after Malwarebytes detects the 2 Vundo.H registry values and 4 Trojan.Agent keys, it asks whether I want to reboot to delete those files. When I click yes, it does not auto-restart. After I restart the PC manually and repeat the scan, nothing seems to have been deleted.

I've seen very similar problems being solved on this forum and hope you can suggest a cure for me as well :-) Thank you in advance... Here are the logs you have asked for...





Link to post
Share on other sites

You might want it in copy/paste form rather than as attachment.

Malwarebytes' Anti-Malware 1.33

Database version: 1682

Windows 5.1.2600 Service Pack 3

23.01.2009 06:34:21

mbam-log-2009-01-23 (06-34-21).txt

Scan type: Quick Scan

Objects scanned: 56368

Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c46d868-1c58-4d48-aa3f-95b4121fc6df} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{7c46d868-1c58-4d48-aa3f-95b4121fc6df} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 06:44:03, on 23.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:









C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe





C:\Program Files\Java\jre6\bin\jqs.exe





C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe







C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\FileOpen\plug_ins\FileOpenAPI.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin



C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197904215609

O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...445/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A34398C-5CE3-4F0D-91BC-F75E3F94DA1C}: NameServer =

O17 - HKLM\System\CCS\Services\Tcpip\..\{55FCF9E3-FF1E-4E49-AFA0-07EF3270530E}: NameServer =

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe

O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe


End of file - 8033 bytes

Link to post
Share on other sites

  • Root Admin
I've posted recently on MajorGeeks.com about this issue, I am still being instructed for a cleaning process on their forum, but I saw a few posts in this forum with the almost same problem I had, so I decided to post here as well.

Unfortunately that is NOT a good idea. This creates extra work for us and them both as we work against each other and read multiple logs from the same user, thus taking time away from others.

I will close your post here and you should continue to follow the advice given over there. They will take care of you no problem.

Thank you.

Link to post
Share on other sites

I thought double service would speed things up, but hey anyway, I was so angry with this trojan that after many hours of online reading, I discovered Brat PE online and deleted the infected keys. Now, the Malwarebytes scan is clean, and the trojan registry values no longer reappear. I would love to learn more about why these keys were reappearing, but hey if you are busy, let me not keep you... Your software is great and was the only one to detect these keys.

Link to post
Share on other sites

  • Root Admin

It's not that we're busy and don't wish to help you. It's just that it's better for everyone involved if only one site at a time helps you.

You probably wouldn't like it if a different Barber came in and cut an inch off the left side, then another Barber stepped in and didn't know about the 1 inch cut on the left side and he cut of 2 inches and curled it. The point being that the left hand doesn't know what the right hand is doing so to speak and thus the results may not be good.


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.