Jump to content
Sign in to follow this  
thesisko

Please Help with Trojan.Vundo.H!!

Recommended Posts

Hello, I've picked up the Trojan.Vundo.H and malwarebytes can't get rid of it. I have updated to the latest version and the program detects the threats located in the registry and states the threats have been successfully quarantined and deleted. Then when I run the scan again as soon as it deleted the items, they are right back where they were before. I would greatly appreciate any help in removing this pesky threat. Here is the mb log file regarding the threats found in the registry

Malwarebytes' Anti-Malware 1.36

Database version: 2046

Windows 5.1.2600 Service Pack 3

4/26/2009 7:32:20 PM

mbam-log-2009-04-26 (19-32-20).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 5658

Time elapsed: 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{459a2a79-8c10-4c88-b74d-b45ff6ea1900} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{459a2a79-8c10-4c88-b74d-b45ff6ea1900} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lijisepiru (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Hi,

It looks like only keys are detected all the time here, so I have the feeling that a 3rd party scanners places them back again.

This could be either Spybot S&D Teatimer, or Adwatch or any other similar scan.

Anyway, to find out,

* Download Trend Micro Hijack This

Share this post


Link to post
Share on other sites

Here is the hijackthis log file but now I'm experiencing a different problem. I ran combofix and that seemed to work, now the latest version of malwarebytes comes up with a clean scan. Now the problem is my browser is directing me to pages I didn't select. For example, when i do a search from yahoo.com and go to the results page, when i click next or click to go to a different page in the results, a new tab opens up and i get directed to 7search.com or yahoo advance search or some health website. Plus when i click on one of the results, sometimes i'll be directed to that page and sometimes i'll get directed to another site like i described before. i have run a scan with symantec antivirus, malwarebytes and avg, they all come back clean. the only thing was when i first ran avg it detected a lot of tracking cookies but now they're gone according to avg and i'm still getting directed to weird websites. what's going on?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:31:27 AM, on 4/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 7080 bytes

Share this post


Link to post
Share on other sites

Ok, every time i run avg it finds tracking cookies in C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\w2ths33s.default\cookies.sqlite. i have avg remove that file plus all the tracking cookies found in that file but every time i start firefox up again the file reappears and avg finds more tracking cookies there. i'm totally at a loss at this point, please help!

Share this post


Link to post
Share on other sites

Hi,

For the redirects, I assume you only have it in Firefox? Because that's really important. If you only have it in Firefox, then do next:

1. Please download GooredFix and save it to your Desktop.

  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Ok, every time i run avg it finds tracking cookies in C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\w2ths33s.default\cookies.sqlite. i have avg remove that file plus all the tracking cookies found in that file but every time i start firefox up again the file reappears and avg finds more tracking cookies there. i'm totally at a loss at this point, please help!
Please don't worry about tracking cookies. You'll always get them and they will always return. This just depends what sites you visit.

Everyone has them. They are even present on the MSN startpage, Yahoo startpage...

You may also want to read next:

http://www.mvps.org/winhelp2002/cookies.htm

If you want to manage your cookies you can use next programs:

For Internet explorer: CookieWall

For Firefox: CookieSafe

Keep in mind that you're not supposed to block every cookie, because some cookies are required.

Most people don't use an additional cookie manager, because it may be annoying in some cases to manually filter all cookies in the beginning, so they clean their cookies once in a while via the "clean cookies" option in their browser settings.

Share this post


Link to post
Share on other sites

GooredFix v1.92 by jpshortstuff

Log created at 02:41 on 01/05/2009 running Option #2 (User)

Firefox version 3.0.10 (en-US)

=====Goored Deletions=====

C:\Program Files\Mozilla Firefox\extensions\{6EBB196D-7FEF-4A33-B20F-45252F6D5A1F}

->Backing up folder... Done.

->Emptying folder... Done.

->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]

"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]

"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]

"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Share this post


Link to post
Share on other sites

Malwarebytes comes back clean. The only thing AVG finds is the atdmt tracking cookie. Should i worry about that?

Malwarebytes' Anti-Malware 1.36

Database version: 2065

Windows 5.1.2600 Service Pack 3

5/1/2009 4:31:30 PM

mbam-log-2009-05-01 (16-31-30).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 171944

Time elapsed: 29 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Hi,

The only thing AVG finds is the atdmt tracking cookie. Should i worry about that?
Not at all. I am still wondering why scanners still flag tracking cookies.. Please don't worry about tracking cookies. You'll always get them and they will always return. This just depends what sites you visit.

Everyone has them. They are even present on the MSN startpage, Yahoo startpage...

You may also want to read next:

http://www.spywareinfo.com/articles/cookies/

http://www.mvps.org/winhelp2002/cookies.htm

If you want to manage your cookies you can use next programs:

For Internet explorer: CookieWall

For Firefox: CookieSafe

Keep in mind that you're not supposed to block every cookie, because some cookies are required.

Most people don't use an additional cookie manager, because it may be annoying in some cases to manually filter all cookies in the beginning, so they clean their cookies once in a while via the "clean cookies" option in their browser settings.

Share this post


Link to post
Share on other sites

Glad I could help. :angry:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.