Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Problems with TROJAN.VUNDO
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Problems with TROJAN.VUNDO  
Forum Quick Jump
 
New Topic Post reply to : Problems with TROJAN.VUNDO Printable version of : Problems with TROJAN.VUNDO
[ << Previous Thread | Next Thread >> ]

Korey
New Member


Date Joined Dec 2005
Total Posts : 6
  		   Posted 12-20-2005 6:36 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Trojan.Vundo has been found on my computer!  I've run the tool from Symantec's website without success.  Can anybody help me get rid of this?
Back to Top
 

JSntgvr
Senior Member


Date Joined Nov 2005
Total Posts : 605
  		   Posted 12-20-2005 8:01 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Downlod Hijackthis:
 
 
Save the file in its own folder such as C:\Hijackthis. Run Hijackthis and Save the log. Copy and Paste its contents in a reply.
Back to Top
 

Korey
New Member


Date Joined Dec 2005
Total Posts : 6
  		   Posted 12-20-2005 8:07 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Here is my HJT log.



Logfile of HijackThis v1.99.1
Scan saved at 1:06:59 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssqrs.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369h/rnl/java/RntX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Back to Top
 

JSntgvr
Senior Member


Date Joined Nov 2005
Total Posts : 605
  		   Posted 12-20-2005 8:31 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Please print these instructions out for use in Safe Mode.


Microsoft AntiSpyware must be disable before any fix, as it will interfere:


Open Microsoft AntiSpyware.


Click on Tools, Settings. In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).


Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).


After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.


Run Msconfig. Select the startup tab and deselect [B]gcasServ[/B]. Click Ok and restart the computer when prompted.


That will disable MS Antipyware and you can proceed with the fix. After the fix, then this should be reversed.


Please download VundoFix.exe to your desktop:




Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
 
At this point press Enter one time.

Next you will see:
Please Type in the filepath as instructed by the forum staff
and then press enter: 
At this point please type the following file path (make sure to enter it exactly as below!):


C:\WINDOWS\system32\ssqrs.dll

 
Press Enter to continue with the fix.

Next you will see:


[QUOTE]Please type in the second filepath as instructed by the forum
staff then press enter:[/QUOTE] 
 
At this point please type the following file path (make sure to enter it exactly as below!):


C:\WINDOWS\system32\srqss.*


Press Enter to continue with the fix.


The fix will run then Hijack This will open, if it does not open automatically please open it manually.


In HiJackThis, please place a check next to the following items and click FIX CHECKED:


O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssqrs.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll
After you have fixed these items, close Hijack This.


Press enter to exit the program then manually reboot your computer.


The fix will tell you to shutdown using the Power button. Hold in your power button until the computer shuts down. Wait about 15 seconds and then restart the computer into regular windows.


Chkdsk will run. This is normal. It will take a few minutes and is checking your file system because of the Bad Shutdown we caused.


Once your machine reboots please continue with the instructions below.


Download the trial version of Ewido Security Suite:




· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click update.
· Click on Start and let it update.
· DO NOT run a scan yet.


Restart your computer into Safe Mode.

Perform the following steps in Safe Mode:


Run Ewido:


Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.


Perform an ActiveSCan:




Save the report to the desktop.


Post a new HijackThis log and the results of the Ewido and ActiveScan reports, as well as the vundofix.txt file from the vundofix folder.
Back to Top
 

Korey
New Member


Date Joined Dec 2005
Total Posts : 6
  		   Posted 12-21-2005 12:21 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
It worked!  Vundo is gone! Thank you very much, I really appreciate your help.  Here is my new HJT log and the vundofix.txt along with the ewido log.  I don't have the ActiveSCan because right after I downloaded that software I restarted my computer and had no GUI.  My mouse pointer was there but no keyboard response, no desktop items and no taskbar.  So I deleted the Panda software.
 
Logfile of HijackThis v1.99.1
Scan saved at 5:18:50 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369h/rnl/java/RntX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
 
 
 
 
---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------
 + Created on:   3:57:36 PM, 12/20/2005
 + Report-Checksum:  59F853EA
 + Scan result:
 HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
 HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
 HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
 HKU\S-1-5-21-2566170971-4135274661-1292413834-1009\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
 HKU\S-1-5-21-2566170971-4135274661-1292413834-1009\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
 C:\Program Files\Microsoft AntiSpyware\Quarantine\BCC41978-9845-403D-AA61-B0CCBB\C449A034-CBC8-4CEA-B032-A9A056 -> Spyware.180Solutions : Cleaned with backup

::Report End
 
 
 
 
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------
 
Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------
 
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
 
--------------------------------------------------------------------------------------
 
Filepaths entered
--------------------------------------------------------------------------------------
 
The filepath entered was C:\WINDOWS\system32\ssqrs.dll
 
The second filepath entered was C:\WINDOWS\system32\srqss.*
 
--------------------------------------------------------------------------------------
 
Log from Process
--------------------------------------------------------------------------------------
 
Killing PID 132 'smss.exe'
Killing PID 768 'explorer.exe'

Killing PID 220 'winlogon.exe'
--------------------------------------------------------------------------------------
 
C:\WINDOWS\system32\ssqrs.dll Deleted sucessfully.
C:\WINDOWS\system32\srqss.* Deleted sucessfully.
 
Fixing Registry
--------------------------------------------------------------------------------------
Back to Top
 

JSntgvr
Senior Member


Date Joined Nov 2005
Total Posts : 605
  		   Posted 12-21-2005 3:06 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Fix the following lines in Hijackthis:
 
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll (file missing)
 
Here are other options:

Kaspersky OnLine Scan:
 
 
TrendMicro:
 
 
BitDefender:
 
 
Please post the results of the scan(s) in your next reply.
 
Whenever a computer is infected with Vundo, a VirusScan is suggested.
Back to Top
 

Allison
New Member


Date Joined Dec 2005
Total Posts : 3
  		   Posted 12-21-2005 6:43 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Hello,
I had trojan.vundo about a month or so ago and I got rid of it simply by downloading the free 14 day trial of SpySweeper from www.webroot.com I believe.  So it's worth a shot!
-Allison
Back to Top
 

Korey
New Member


Date Joined Dec 2005
Total Posts : 6
  		   Posted 12-21-2005 7:25 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Logfile of HijackThis v1.99.1
Scan saved at 10:08:46 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369h/rnl/java/RntX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-------------------------------------------------------------------------------




KASPERSKY ON-LINE SCANNER REPORT
Tuesday, December 20, 2005 23:23:39
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/12/2005
Kaspersky Anti-Virus database records: 156386
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 70964
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 3865 sec

Infected Object Name - Virus Name
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03114DFB.exe Infected: Trojan-Dropper.Win32.Agent.rs
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\039D2A67.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03A47E5F.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03A7285C.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03AA5258.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0C7E2732.tmp Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12062BD6.dll Infected: Trojan-Downloader.Win32.ConHook.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3A5E5643.exe Infected: Trojan-Dropper.Win32.Agent.rs
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\54285E23.exe Infected: Trojan-Dropper.Win32.Agent.rs
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6F3702E3.exe Infected: Trojan-Dropper.Win32.Agent.rs
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\77CC7BA8.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7ACF5E5F.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7B3E71E4.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7BBA2D5C.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7BCB7F4A.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7DA11D44.exe Infected: Email-Worm.Win32.VB.an

Scan process completed.
Back to Top
 

JSntgvr
Senior Member


Date Joined Nov 2005
Total Posts : 605
  		   Posted 12-21-2005 1:24 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Fix the following lines with Hijackthis:
 
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
All malware is being Quarantine by Norton. You can flush that out thru Norton.
 
Best wishes!
Back to Top
 

Korey
New Member


Date Joined Dec 2005
Total Posts : 6
  		   Posted 12-24-2005 6:04 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Thank you for your help. No more problems!
Back to Top
 

Geeby Hater
New Member


Date Joined Dec 2005
Total Posts : 3
  		   Posted 12-24-2005 10:25 (GMT +1)    Quote: Problems with TROJAN.VUNDOAlert an admin about: Problems with TROJAN.VUNDO
Re: WINFIXER - VIRTUMONDE - VUNDO - GEEBY.DLL
Succesfull Trojan Removal Program hop
I have spent MANY hours freaked trying to get rid of this devil devil    Have tried many methods found on web to remove it, including Symantec and McAfee. Was getting ready to reformat my harddisk and start over when I found a small (94.7KB), privately written program on the McAfee Help forum that did the job in a quick, simple snap:
Removal Tool (VirtumundoBeGone.exe) at: http://forums.mcafeehelp.com/viewtopic.php?t=57049
Read the information - 45 seconds;
Downloaded VirtumundoBeGone.exe - 10 seconds;
Ran VirtumundoBeGone.exe - 2 minutes;
Computer rebooted - 2 minutes;
Read VGB.TXT report on my desktop - 30 seconds;
Deleated all remaining remnants of this freak - 60 seconds.
Now plan to party ALL NIGHT.
It worked, it was simple.
THANK YOU!!!!! hop jumpin yeah
Can't guarantee that it will work for you, but it did work for me and was real easy to run.


Additional information:


EWIDO <http://www.ewido.net/en> has been good at spoting GEEBY.DLL. EWIDO removed it from 14 locations on my computer plus fixxing a number of other problems that my other more well known, expensive programs did not remove. However, it could not get GEEBY.DLL in window/system32 that was called by winlogon.exe. It recognizes it there, and attempts to remove it, but with no luck. EWIDO is free to try, and free to use permanently except that the real time protection is disabled after two weeks. Still, not a bad manual scanner and remover to have as a backup if you don't want to pay for it.

_______________________
For those of you interested, I ran the program twice. The first time it found Virtumundo and removed it. The removal process involved rebooting the computer. The second time it did not find Virtumundo and there was no computer reboot:


At the bottom I have copied the the thread that led me to this program. If it doesn't work for you, maybe some of the other leads will.



Here are the removal reports that Virtumundobegone.exe put on my desktop. I am not enough of a cumputer person to know how much of this will be universal and how much unique:


[12/23/2005, 23:12:46] - VirtumundoBeGone v1.5 ( "c:\My Downloads\0-LoadFromHere\VirtumundoBeGone.exe" )
[12/23/2005, 23:13:08] - Detected System Information:
[12/23/2005, 23:13:08] -  Windows Version: 5.1.2600, Service Pack 2
[12/23/2005, 23:13:08] -  Current Username: XXXXX XXXXXXX (Admin)
[12/23/2005, 23:13:08] -  Windows is in NORMAL mode.
[12/23/2005, 23:13:08] - Searching for Browser Helper Objects:
[12/23/2005, 23:13:08] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:13:08] -  BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[12/23/2005, 23:13:08] -  BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:13:08] -  BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:13:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/23/2005, 23:13:08] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:13:08] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:13:08] -  BHO 5: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:13:08] -  BHO 6: {7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:13:09] -  BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:13:09] -  BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:13:09] -  BHO 9: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} (MSEvents Object)
[12/23/2005, 23:13:09] - ALERT: Found MSEvents Object!
[12/23/2005, 23:13:09] - Finished Searching Browser Helper Objects
[12/23/2005, 23:13:09] - *** Detected MSEvents Object
[12/23/2005, 23:13:09] - Trying to remove MSEvents Object...
[12/23/2005, 23:13:10] -    Terminating Process: IEXPLORE.EXE
[12/23/2005, 23:13:10] -    Terminating Process: RUNDLL32.EXE
[12/23/2005, 23:13:10] -    Disabling Automatic Shell Restart
[12/23/2005, 23:13:10] -    Terminating Process: EXPLORER.EXE
[12/23/2005, 23:13:10] -    Suspending the NT Session Manager System Service
[12/23/2005, 23:13:11] -    Terminating Windows NT Logon/Logoff Manager
[12/23/2005, 23:13:12] -    Re-enabling Automatic Shell Restart
[12/23/2005, 23:13:12] -   File to disable: C:\WINDOWS\system32\geeby.dll
[12/23/2005, 23:13:12] -  Renaming C:\WINDOWS\system32\geeby.dll -> C:\WINDOWS\system32\geeby.dll.vir
[12/23/2005, 23:13:12] -  File successfully renamed!
[12/23/2005, 23:13:12] -   Removing HKLM\...\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[12/23/2005, 23:13:12] -   Removing HKCR\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[12/23/2005, 23:13:12] -   Adding Kill Bit for ActiveX for GUID: {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[12/23/2005, 23:13:12] -   Deleting ATLEvents/MSEvents Registry entries
[12/23/2005, 23:13:12] -   Removing HKLM\...\Winlogon\Notify\geeby
[12/23/2005, 23:13:12] - Searching for Browser Helper Objects:
[12/23/2005, 23:13:12] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:13:12] -  BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[12/23/2005, 23:13:12] -  BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:13:12] -  BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:13:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/23/2005, 23:13:12] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:13:12] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:13:12] -  BHO 5: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:13:12] -  BHO 6: {7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:13:13] -  BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:13:13] -  BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:13:13] - Finished Searching Browser Helper Objects
[12/23/2005, 23:13:13] - Finishing up...
[12/23/2005, 23:13:13] - A restart is needed.
[12/23/2005, 23:13:25] - Attempting to Restart via STOP error (Blue Screen!)
--------------------------
Here is the second report when Virtumundo had already been removed. (No reboot because it had been cleaned):

[12/23/2005, 23:27:16] - VirtumundoBeGone v1.5 ( "c:\My Downloads\0-LoadFromHere\VirtumundoBeGone.exe" )
[12/23/2005, 23:27:20] - Detected System Information:
[12/23/2005, 23:27:20] -  Windows Version: 5.1.2600, Service Pack 2
[12/23/2005, 23:27:20] -  Current Username: XXXXXX XXXXXXXX (Admin)
[12/23/2005, 23:27:20] -  Windows is in NORMAL mode.
[12/23/2005, 23:27:20] - Searching for Browser Helper Objects:
[12/23/2005, 23:27:20] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:27:20] -  BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[12/23/2005, 23:27:20] -  BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:27:20] -  BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:27:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/23/2005, 23:27:21] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:27:21] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:27:21] -  BHO 5: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:27:21] -  BHO 6: {7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:27:21] -  BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:27:21] -  BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:27:21] - Finished Searching Browser Helper Objects
[12/23/2005, 23:27:21] - Finishing up...
[12/23/2005, 23:27:21] - Nothing found! Exiting...

-------------------------------------------------------


The following thread led me to the above program. If it doesn't work hopefully something else here will work:


Hi Barryco - Five approaches to removing Winfixer (Vundo). Not all will
work on all variants. It's suggested that you try them in this order.
2 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm

3 - It's been reported that the Removal Tool here is worthwhile:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

4 - Then, courtesy of MVP Suzi Turner and Mosaic1:
"Atribune, a guy in the forums, has a Vundo fix tool as well:
Instructions for use by user as posted in the SpywareWarrior forum:
'Please download VundoFix.exe to your desktop. Here's a link:
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.
Once in safe mode open the VundoFix folder and double-click on KillVundo.bat
A command window will open and it should look like this:
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.

At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\geeby.dll
Press Enter.
Next you will see:
Please type in the second filepath as instructed by the forum staff
At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\ybeeg.*
Press Enter to continue.
The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click
FIX CHECKED:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
After you have fixed these items, close Hijackthis.
The fix will tell you to shutdown using the Power button. Hold in your power
button until the computer shuts down. Wait about 15 seconds and then restart
the computer into regular windows.
Chkdsk will run. This is normal. It will take a few minutes and is checking
your file system because of the Bad Shutdown we caused.
Go for free online Virus scans here:
Allow them to clean
Panda will have the option to create a log after the scan has finished.
Click
the See Report button. Then click the save Report button. It will be saved
under the name activescan.txt Do that and post that log into your next reply
here.
Run hijackthis and post the new log and the vundofix.txt file from the
vundofix folder into as well.'
----------------------------------------------------------------------------
--
The forum helpers have reported this fix from Atribune works. I don't know
about the Symantec tool.
If you'd like to join Spyware Warrior, you could see the thread where the
helpers are discussing this.
Suzi"
Back to Top
 
New Topic Post reply to : Problems with TROJAN.VUNDO Printable version of : Problems with TROJAN.VUNDO
 
Forum Information
Currently it is Saturday, November 21, 2009 3:39 AM (GMT +1)
There are a total of 73.017 posts in 17.111 threads.
In the last 3 days there were 10 new threads and 70 reply posts. View Active Threads
Who's Online
This forum has 30330 registered members. Please welcome our newest member, DarkPrincess.
28 Guest(s), 3 Registered Member(s) are currently online.  Details
Touch, nikeshoescenter, Jintan
5 Latest Threads
Hotsell new obama shoes lv bag prada shoes d&g t-shirts (0)21-11-2009 02:39:18 (nikeshoescenter)
Cannot install anti-virus softeware or do window updates... need help (15)21-11-2009 01:32:16 (superjesse)
How to remove VBS:Malware-gen virus??? (4)20-11-2009 22:26:03 (DarkPrincess)
Unable to start COM+ Event, BITs and Windows Update on Win2000 (13)20-11-2009 22:10:54 (sjrsquared)
Generic.Malware.SY.54561FF3 (0)20-11-2009 20:40:33 (DanLasko)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard