Jump to content

Help vundo.h


Guest bugmenot
 Share

Recommended Posts

Guest bugmenot

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:13:34 AM, on 11/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 1473 bytes

Malwarebytes' Anti-Malware 1.30

Database version: 1340

Windows 5.1.2600 Service Pack 2

11/3/2008 4:16:57 AM

mbam-log-2008-11-03 (04-16-54).txt

Scan type: Quick Scan

Objects scanned: 38196

Time elapsed: 1 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\windows\system32\ascuijq.dll (Trojan.Vundo.H) -> No action taken.

Link to post
Share on other sites

Guest bugmenot

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-03 04:17:46

PROTECTIONS: 0

MALWARE: 3

SUSPECTS: 7

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No c:\windows\system32\appsetup.exe

03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001138.exe

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001060.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001133.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001134.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001135.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0000060.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP2\A0000013.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP5\A0002188.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP7\A0004283.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP9\A0004947.sys

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\zpajw.sys

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location ڮ

;===============================================================================

================================================================================

=

===================

No C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe ڮ

No C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe[32788R22FWJFW\psexec.cfexe] ڮ

No C:\Documents and Settings\Administrator\My Documents\mouse\mouse_programs.zip[usbmrs11.exe][umrs.exe] ڮ

No C:\Documents and Settings\Administrator\My Documents\mouse\usbmrs11.exe[umrs.exe] ڮ

No C:\Documents and Settings\Administrator\My Documents\oldcomputer stuff\mouse_programs.zip[usbmrs11.exe][umrs.exe]

No C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe[32788R22FWJFW\psexec.cfexe] ڮ

No C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe[32788R22FWJFW\psexec.cfexe] ڮ

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description ڮ

;===============================================================================

================================================================================

=

===================

184380 MEDIUM MS08-002 ڮ

184379 MEDIUM MS08-001 ڮ

182048 HIGH MS07-069 ڮ

182046 HIGH MS07-067 ڮ

182043 HIGH MS07-064 ڮ

179553 HIGH MS07-061 ڮ

176382 HIGH MS07-057 ڮ

176383 HIGH MS07-058 ڮ

170911 HIGH MS07-050 ڮ

170907 HIGH MS07-046 ڮ

170906 HIGH MS07-045 ڮ

170904 HIGH MS07-043 ڮ

164915 HIGH MS07-035 ڮ

164913 HIGH MS07-033 ڮ

164911 HIGH MS07-031 ڮ

160623 HIGH MS07-027 ڮ

157262 HIGH MS07-022 ڮ

157261 HIGH MS07-021 ڮ

157260 HIGH MS07-020 ڮ

157259 HIGH MS07-019 ڮ

156477 HIGH MS07-017 ڮ

150253 HIGH MS07-016 ڮ

150249 HIGH MS07-013 ڮ

150248 HIGH MS07-012 ڮ

150247 HIGH MS07-011 ڮ

150243 HIGH MS07-008 ڮ

150242 HIGH MS07-007 ڮ

150241 MEDIUM MS07-006 ڮ

141034 HIGH MS06-076 ڮ

141033 MEDIUM MS06-075 ڮ

141030 HIGH MS06-072 ڮ

137571 HIGH MS06-070 ڮ

137568 HIGH MS06-067 ڮ

133387 MEDIUM MS06-065 ڮ

133386 MEDIUM MS06-064 ڮ

133385 MEDIUM MS06-063 ڮ

133379 HIGH MS06-057 ڮ

131654 HIGH MS06-055 ڮ

129977 MEDIUM MS06-053 ڮ

129976 MEDIUM MS06-052 ڮ

126093 HIGH MS06-051 ڮ

126092 MEDIUM MS06-050 ڮ

126087 HIGH MS06-046 ڮ

126086 MEDIUM MS06-045 ڮ

126083 HIGH MS06-042 ڮ

126082 HIGH MS06-041 ڮ

126081 HIGH MS06-040 ڮ

123421 HIGH MS06-036 ڮ

123420 HIGH MS06-035 ڮ

120825 MEDIUM MS06-032 ڮ

120823 MEDIUM MS06-030 ڮ

120818 HIGH MS06-025 ڮ

120815 HIGH MS06-022 ڮ

120814 HIGH MS06-021 ڮ

117384 MEDIUM MS06-018 ڮ

114666 HIGH MS06-015 ڮ

114664 HIGH MS06-013 ڮ

108744 MEDIUM MS06-008 ڮ

108743 MEDIUM MS06-007 ڮ

108742 MEDIUM MS06-006 ڮ

104567 HIGH MS06-002 ڮ

104237 HIGH MS06-001 ڮ

96574 HIGH MS05-053 ڮ

93395 HIGH MS05-051 ڮ

93394 HIGH MS05-050 ڮ

93454 MEDIUM MS05-049 ڮ

;===============================================================================

================================================================================

=

===================

Why does the sticky have a online scanner that u have to pay to remove? And the things it picks up is looking fishy ive used so many scanners past few days that didnt pick up all that.

Anyway can someone help me remove this?

Link to post
Share on other sites

Hello, you don't have to pay to remove. Delete ComboFix from your desktop. Your not taking action with MBAM. When you scan with it you need to check the boxes next to what it found and remove them.

Update MBAM, scan again this time take action. Post that log and then the full HJT log.

Link to post
Share on other sites

Guest bugmenot

Thanks for the reply

Malwarebytes' Anti-Malware 1.30

Database version: 1358

Windows 5.1.2600 Service Pack 2

11/3/2008 11:00:28 AM

mbam-log-2008-11-03 (11-00-28).txt

Scan type: Full Scan (A:\|C:\|D:\|)

Objects scanned: 50483

Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kyfrsxnz (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kyfrsxnz (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\windows\system32\ascuijq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\peli.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:06:40 AM, on 11/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wpabaln.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 1496 bytes

Link to post
Share on other sites

Are you taking out part of the HJT log?

Run HJT again in scan only and put a check next to these lines, then click fix.

O2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)

O20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)

Reboot.

Update MBAM run a quick scan post that log and a new HJT log. The full HJT log.

Link to post
Share on other sites

Guest bugmenot

ogfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:57:30 PM, on 11/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 1720 bytes

Link to post
Share on other sites

Guest bugmenot

Malwarebytes' Anti-Malware 1.30

Database version: 1366

Windows 5.1.2600 Service Pack 2

11/4/2008 7:06:14 PM

mbam-log-2008-11-04 (19-06-14).txt

Scan type: Full Scan (A:\|C:\|D:\|)

Objects scanned: 51364

Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\windows\system32\ascuijq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP9\A0005032.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Look, for what ever reasons, your not doing as asked, your not posting a full log and your not doing as MBAM says. You have a rootkit, which means all information on the machine has been compromised, banking, credit cards etc, passwords. You need to change them all now. Notify the banks etc. The only sure way to remove a rootkit is reformat. Since you won't work with me. I suggest you do that. We have clear forum policy that states you will cooperate and will not alter logs. You are not cooperating and you are altering the HJT log. I'm done.

Link to post
Share on other sites

Guest bugmenot

This is new to me. Im running hijack this, i click save log. I open the hijackthis.log, copy all the text and post here.

I tweak xp using black vipers guide witch disables alot of xp services, i disable alot of start ups too. Im guessing this is why my log seems incomplete to you. Im just wondering if you would know of any way to delete this, it just keeps on coming back when i restart my pc.

Link to post
Share on other sites

OK that might explain the missing stuff, and it might also explain why it doesn't show in your logs.

Please find this file C:\WINDOWS\system32\nvsvc32.exe

and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.

But how are you doing a full scan in 3 minutes?

Scan type: Full Scan (A:\|C:\|D:\|)

Objects scanned: 51364

Time elapsed: 3 minute(s), 33 second(s)

You don't need to do a full scan, you do need to reboot for the delete when MBAM says so.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.

All those are delete on reboot. You have a rootkit, my advice about reformat is sincere, and the only way to be sure of removal.

Link to post
Share on other sites

  • 2 weeks later...

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.