Jump to content

Vundo.H & Rootkit Agent H. removal help needed!


Recommended Posts

I've been tryign for a week to get rid of this, I thought it was gone on two occasions. The other two "agent" entries ( C:\windows\system32\kwave.sys

C:\windows\system32\drivers\mrxdavv.sys ) I've been trying to get rid of for a couple of months.here's the most recent Mbam & HJT logs. PLEASE help. Thanks!

Malwarebytes' Anti-Malware 1.31

Database version: 1523

Windows 5.1.2600 Service Pack 2

12/19/2008 8:15:07 PM

mbam-log-2008-12-19 (20-05-28).txt

Scan type: Quick Scan

Objects scanned: 48402

Time elapsed: 1 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9b48c7ad-37b5-45d5-95c3-86245d2f32d4} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{9b48c7ad-37b5-45d5-95c3-86245d2f32d4} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vetemikolu (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:15:24 PM, on 12/19/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\AlienGUIse\wbload.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\a-squared\a2service.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {9b48c7ad-37b5-45d5-95c3-86245d2f32d4} - C:\WINDOWS\system32\mebokewe.dll (file missing)

O2 - BHO: (no name) - {AC34A03C-9F6B-4710-BA1B-A1B62F4FEA89} - C:\WINDOWS\system32\geBrsqrP.dll (file missing)

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [vetemikolu] Rundll32.exe "C:\WINDOWS\system32\zigomobo.dll",s

O4 - HKUS\S-1-5-19\..\Run: [vetemikolu] Rundll32.exe "C:\WINDOWS\system32\zigomobo.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [vetemikolu] Rundll32.exe "C:\WINDOWS\system32\zigomobo.dll",s (User 'NETWORK SERVICE')

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O20 - AppInit_DLLs: c:\windows\system32\jivazona.dll C:\WINDOWS\system32\fizelugo.dll C:\WINDOWS\system32\mapenelo.dll ,C:\WINDOWS\system32\hezigotu.dll

O20 - Winlogon Notify: acpiz - acpiz.dll (file missing)

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

--

End of file - 3331 bytes

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.