how-to block ads
|
prolecat
join:2008-06-17
Fort Myers, FL
|  [Vundo] Suspected Vundo -- **Please Help**
So i was downloading a file, and when i ran the file, the files suddenly disappeared, and now i notice that my windows update (windows vista) is disabled, and gives me error 1058 when i try to enable it.
Even when i go into admin tools -> services to enable it, it automatically reverts back to disabled.
I have a high level of computer knowledge, but this problem is still evading me. Someone please help.
I have since installed AVG Free, scanned, and Ad Aware SE Pro, and Scanned. Also HijackThis, and Cleanup.
I also scanned with MalwareBytes Anti-Malware
==========================================================
============================
Malwarebytes' Anti-Malware 1.17
Database version: 846
2:26:50 AM 6/17/2008
mbam-log-6-17-2008 (02-26-50).txt
Scan type: Quick Scan
Objects scanned: 36102
Time elapsed: 6 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Windows\System32\eacfebtq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\lJATKASl.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\wmgwjhuq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\yhxtansi.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{29265f14-9abb-4c5c-8082-c636e3231e58} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{29265f14-9abb-4c5c-8082-c636e3231e58} (Trojan.Vundo) -> Quarantined and deleted successfully.
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\battle.net (Trojan.FakeAlert) -> Quarantined and deleted successfully.
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\diablo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bceb28a5 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljatkasl -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanc ed\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanc ed\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\eacfebtq.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\qtbefcae.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\lJATKASl.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\lSAKTAJl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\lSAKTAJl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rumcsogq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\qgoscmur.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wmgwjhuq.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\quhjwgmw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\yhxtansi.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\isnatxhy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\bnetunin.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\diabunin.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\rQhiJATj.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Most Current HJT Scan
==========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:45 PM, on 6/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Taskmgr.exe
C:\PROGRA~1\MICROS~1\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-480934505-3471112961-221409590-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload2.macromedia.com/get/s···lash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 5343 bytes | |
LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
 ·Comcast
 ·Qwest.net
| Your HJT log is clean and I suspect your update service has been disabled.
See this link: »support.microsoft.com/kb/896224
That applies to XP, but the idea is the same. For Vista the service is named Windows Update
--
When angry count four; when very angry, swear.
Microsoft MVP Consumer Security
Gladiator Security Forum | |
prolecat
join:2008-06-17
Fort Myers, FL | reply to prolecat
my update service is enabled | |
LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
·Comcast
·Qwest.net
| reply to prolecat
First:
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.
Second:
Reconfigure Windows Vista to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Open the Control Panel menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files. Malware Removal Steps
Third:
1. Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here:
• Double-click FixPolicies.exe
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies,
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.
Fourth:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: »www.bleepingcomputer.com/combofi···combofix
[B]Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
Fifth:
Run HijackThis again, and save the log file.
Submit to the Forum:
• The contents of C:\Combofix.txt;
• The new HijackThis log.
--
When angry count four; when very angry, swear.
Microsoft MVP Consumer Security
Gladiator Security Forum | |
prol
@comcast.net | reply to prolecat
i decided to just back up and reformat, i really appreciate your websites help however | |
|
