Infected with Trojan.Vundo.H [Closed]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Infected with Trojan.Vundo.H [Closed], Computer slows, malawarebytes shows repeated infection with TVH.

Options

little_angel View Member Profile	Sep 18 2009, 04:25 PM Post #1
New Member Posts: 8 OS: windows xp	Hello, I've noticed my computer to be excessively slow for about 1 month or so. When I ran Malawarebytes, it showed I was infected with Trojan.Vundo.H., and prompted me to reboot computer to fix. After being "fixed", my computer runs a bit faster, however, after 5 minutes of connecting to the internet, without surfing or even opening Internet explorer, my computer would become sluggish and Malawarebytes would show that i have at least 5 infections with of the same Trojan. When I surf for instruction on removal of TVH, just about any website I clicked on would be redirected to somewhere else. Sometimes, I even get redirected when trying to go to www.mail.yahoo.com. I'm not sure if this is related, but about a month or so, I have not been able to open the Add/Remove programs option in my COntrol Panel to remove unwanted program, no matter what I do. Below is my most recent Malawarebytes scan and HJT log Thank you for all your help. Malwarebytes' Anti-Malware 1.41 Database version: 2819 Windows 5.1.2600 Service Pack 3 9/18/2009 1:35:51 PM mbam-log-2009-09-18 (13-35-51).txt Scan type: Full Scan (C:\\|) Objects scanned: 217185 Time elapsed: 1 hour(s), 38 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\ablvzzxf.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01f97b14-a066-42fa-80b9-5f112a423743} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{01f97b14-a066-42fa-80b9-5f112a423743} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01f97b14-a066-42fa-80b9-5f112a423743} (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\ablvzzxf.dll (Trojan.Vundo.H) -> Delete on reboot. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:14:48 PM, on 9/18/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Dell AIO Printer A940\dlbabmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O1 - Hosts: ::1 localhost O1 - Hosts: ??????????????? browser-security.microsoft.com O1 - Hosts: ??????????????? spywareprotector-2009.com O1 - Hosts: ??????????????? www.spywareprotector-2009.com O1 - Hosts: ??????????????? secure.spywareprotector-2009.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {2EB5C6DF-DBF6-4E3F-A81A-FABABBCB693B} - c:\windows\system32\ojxhfcz.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [hpppt] /ICON O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.imageservr.com (HKLM) O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173831454421 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} (SFImageUpload1_8.ImageUpload) - http://riteaid.storefront.com/images/globa...geUpload1_8.CAB O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369...l/java/RntX.cab O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - AppInit_DLLs: karna.dat O20 - Winlogon Notify: bbddqbke - C:\WINDOWS\SYSTEM32\ojxhfcz.dll O20 - Winlogon Notify: mljigfg - mljigfg.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsassnexe (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9582 bytes

NeonFx View Member Profile	Sep 18 2009, 04:44 PM Post #2
Malware Removal Dude Posts: 1,350 From: California OS: XP / Vista	Hello there Welcome to the GeeksToGo forums. My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me. I am still a student here, and as such I will have to have all my responses checked by a malware removal expert before I post them here. Please note the following: The fixes are specific to your problem and should only be used on this machine. Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean. It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. Note: Disabling any security programs you have running will significantly decrease the time it takes to run most of the programs I ask you run. Please disable them before performing any of my steps. For instructions, if needed, see HERE Step 1 Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop. Start the Sysprot.exe program. Click on the Log tab. In the Write to log box select all items. Click on the Create Log button on the bottom right. After a few seconds a new Window should appear. Make sure Scan all drives is selected and click on the Start button. (Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start) When it is complete a new Window will appear to indicate that the scan is finished. The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here. Step 2 Download AVZ and save it to your Desktop by right clicking HERE , selecting "Save Link As" or "Save Target As" and browsing to your desktop on the window that pops up before you click on the Save button. Right click on avz4.zip and select "Extract All..." from the selection. Extract it to a new folder on your desktop and open this folder. If you used the default settings, this folder will be called "avz4." Double click on AVZ.exe Click File > Custom scripts Copy & paste the contents of the following codebox into the new "Run A Script" window that opened up. (start with begin and end with end.) To copy and paste you need to click and drag your mouse to select all the text, right click on it and select "Copy". Then right click where you wish to paste it and select "Paste" CODE begin if ExecuteAVUpdate then AddLineToTxtFile(GetAVZDirectory + '\LOG\History.txt', DateTimeToStr(Now)+': Update Completed') else AddLineToTxtFile(GetAVZDirectory + '\LOG\History.txt', DateTimeToStr(Now)+': Error Updating'); if ExecuteStdScr(3) then AddLineToTxtFile(GetAVZDirectory + '\LOG\History.txt', DateTimeToStr(Now)+': System Analysis with MRM enabled was run successfully'); SetAVZPMStatus(True); RebootWindows(true); end. Click the "Check Syntax" button If you get an error when clicking "Check Syntax" make sure you copy and pasted the entire code over correctly. If it says "Syntax is Correct" with a green check, click on the Run button to start the script. Note: When you run the script, your PC will be restarted. STEP 3 After your computer Restarts: Double click on AVZ.exe Click File > Custom scripts Copy & paste the contents of the following codebox into the new "Run A Script" window that opened up. (start with begin and end with end.) To copy and paste you need to click and drag your mouse to select all the text, right click on it and select "Copy". Then right click where you wish to paste it and select "Paste" CODE begin if GetAVZPMStatus then AddLineToTxtFile(GetAVZDirectory + '\LOG\History.txt', DateTimeToStr(Now)+': AVZPM is active') else AddLineToTxtFile(GetAVZDirectory + '\LOG\History.txt', DateTimeToStr(Now)+': AVZPM is not active'); if ExecuteStdScr(2) then AddLineToTxtFile(GetAVZDirectory + '\LOG\History.txt', DateTimeToStr(Now)+': System Analysis was run successfully'); RebootWindows(true); end. Click the "Check Syntax" button If you get an error when clicking "Check Syntax" make sure you copy and pasted the entire code over correctly. If it says "Syntax is Correct" with a green check, click on the Run button to start the script. Note: When you run the script, your PC will be restarted. AVZ saves its logs as .zip files in the LOG folder within the AVZ4 folder from which AVZ.exe was run. Please attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post In the LOG folder you will also see a file called "History.txt". Please double click on it to open it in Notepad, and copy and paste the contents of that file here. Step 4 Download OTL to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Under the Standard Registry box change it to All. Under the Extra Registry box change it to Use SafeList if it is not selected. Check the boxes beside LOP Check and Purity Check. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.txt and Extras.Txt. These are saved in the same location as OTL.exe. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. In your next reply, please include The results from the SysProt scan The two attached zip files from the AVZ scans The contents of the History.txt file in AVZ's LOG folder. The results from the OTL scans (OTL.txt , Extras.txt)

NeonFx View Member Profile	Sep 19 2009, 11:21 AM Post #4
Malware Removal Dude Posts: 1,350 From: California OS: XP / Vista	Thank you for that Please do the following now: STEP 1 Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL SRV - (auguamcv [Auto \| Running]) -- C:\WINDOWS\System32\ojxhfcz.dll () FF - prefs.js..extensions.enabledItems: {736fca60-00ae-431c-93b9-f4c01470e8cc}:1.0 [2009/09/18 19:41:30 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\TuongVy\Application Data\mozilla\Firefox\Profiles\2e2g8oi8.default\extensions\{736fca60-00ae-431c-93b9-f4c01470e8cc} O2 - BHO: (no name) - {01F97B14-A066-42FA-80B9-5F112A423743} - C:\WINDOWS\System32\ablvzzxf.dll () O2 - BHO: () - {2EB5C6DF-DBF6-4E3F-A81A-FABABBCB693B} - C:\WINDOWS\System32\ojxhfcz.dll () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O20 - AppInit_DLLs: (karna.datS\System3) - File not found O20 - Winlogon\Notify\bbddqbke: DllName - ojxhfcz.dll - C:\WINDOWS\System32\ojxhfcz.dll () O20 - Winlogon\Notify\mljigfg: DllName - mljigfg.dll - File not found [2009/09/18 01:11:32 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\TuongVy\Local Settings\Application Data\kfogetgj [2009/09/18 01:11:32 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\TuongVy\Application Data\kfogetgj [2002/08/29 05:00:00 \| 00,147,968 \| ---- \| C] () -- C:\WINDOWS\System32\lvmcyiat.dll [2002/08/29 05:00:00 \| 00,147,968 \| ---- \| C] () -- C:\WINDOWS\System32\ablvzzxf.dll [2002/08/29 05:00:00 \| 00,102,400 \| ---- \| C] () -- C:\WINDOWS\System32\ojxhfcz.dll [2002/08/29 05:00:00 \| 00,102,400 \| ---- \| C] () -- C:\WINDOWS\System32\euqdegy.dll :Services :Reg :Files C:\WINDOWS\tasks\At.job :Commands [purity] [resethosts] [emptytemp] [Reboot] Then click the Run Fix* button at the top Let the program run unhindered, reboot the PC when it is done This will create a log in C:\_OTL\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here. STEP 2 Open MalwareBytes AntiMalware Update your version of MalwareBytes by clicking on the update tab at the top and using the button. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Full Scan", then click Scan. Select all your harddrives and click on "Scan Now" The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy & Paste the entire report in your next reply. Please restart your computer again. STEP 3 After rebooting, run OTL again and click on the Quick Scan button at the top. Copy and Paste the results of this scan in your next reply. STEP 4 How's the computer running? Are you experiencing any symptoms? If you are still being redirected on the internet, do you get the same symptoms while using Internet Explorer instead of Firefox?

little_angel View Member Profile	Sep 19 2009, 08:29 PM Post #5
New Member Posts: 8 OS: windows xp	I tried running olt fix but my computer keeps on stalling/freezing. the last try took over 10 hours with a blank white box that was olt and my desktop background on the back. I couldn't shut off the computer, and had to turn off then on electricity to restart the computer. After the computer restarted, there are a lot of new icons/items on the desktop that were not there before with names of different files. I tried going into Drive C looking for olt folder to see what is reported but there is nothing in the subfolders. what should i do now? do i try to rerun the olt again or go to malawarebytes?

NeonFx View Member Profile	Sep 20 2009, 09:59 AM Post #6
Malware Removal Dude Posts: 1,350 From: California OS: XP / Vista	That's alright, let's try to get it with the other tool you downloaded. STEP 1 Close all your programs and disable all your security programs before proceeding. Double click on AVZ.exe Click File > Custom scripts Copy & paste the contents of the following codebox into the new "Run A Script" window that opened up. (start with begin and end with end.) To copy and paste you need to click and drag your mouse to select all the text, right click on it and select "Copy". Then right click where you wish to paste it and select "Paste" CODE begin SearchRootkit(true, true); SetAVZGuardStatus(True); StopService('auguamcv'); DeleteService('auguamcv', true); DelCLSID('01F97B14-A066-42FA-80B9-5F112A423743'); DelCLSID('2EB5C6DF-DBF6-4E3F-A81A-FABABBCB693B'); RegKeyStrParamWrite('HKLM','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows','AppInit_DLLs', ''); DelWinlogonNotifyByFileName('ojxhfcz.dll'); DelWinlogonNotifyByFileName('mljigfg.dll'); DeleteFileMask('C:\Documents and Settings\TuongVy\Local Settings\Application Data\kfogetgj', '.', true); DeleteFileMask('C:\Documents and Settings\TuongVy\Application Data\kfogetgj', '.', true); DeleteFileMask('C:\WINDOWS\tasks', 'At.job', false); DeleteFile('C:\WINDOWS\System32\lvmcyiat.dll'); DeleteFile('C:\WINDOWS\System32\ablvzzxf.dll'); DeleteFile('C:\WINDOWS\System32\ojxhfcz.dll'); DeleteFile('C:\WINDOWS\System32\euqdegy.dll'); DeleteFile('C:\WINDOWS\System32\mljigfg.dll'); DeleteFile('C:\WINDOWS\System32\karna.dat'); BC_ImportAll; ExecuteSysClean; ExecuteRepair(6); ExecuteRepair(13); BC_Activate; RebootWindows(true); end. Click the "Check Syntax"* button If you get an error when clicking "Check Syntax" make sure you copy and pasted the entire code over correctly. If it says "Syntax is Correct" with a green check, click on the Run button to start the script. Note: When you run the script, your PC will be restarted. STEP 2 Open MalwareBytes AntiMalware Update your version of MalwareBytes by clicking on the update tab at the top and using the button. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Full Scan", then click Scan. Select all your harddrives and click on "Scan Now" The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy & Paste the entire report in your next reply. Please restart your computer again. STEP 3 After rebooting, run OTL.exe and click on the Quick Scan button at the top. Copy and Paste the results of this scan in your next reply. STEP 4 How's the computer running? Are you experiencing any symptoms? If you are still being redirected on the internet, do you get the same symptoms while using Internet Explorer instead of Firefox? This post has been edited by NeonFx: Sep 20 2009, 10:01 AM

little_angel View Member Profile	Sep 20 2009, 07:15 PM Post #7
New Member Posts: 8 OS: windows xp	I ran avz as instructed and restarted my computer. When my computer restarted, a box that says "found new hardware wizard" showed up asking me to connect to windows update to serach for software. when i clicked cancel to go to my desktop, i have a box that says "malwarebytes' anti-malware"- "run-time error '372': failed to load control 'vbalGrid' from vbalsgrid6.ocx. your version may be outdated. make sure you are using the version of control that was provided with your application." My desktop background days "active desktop recovery", to restore active desktop, click on the restore active desktop bar. When I tried to connect to the internet with my internet connection setting, there were none there. before, there were LAN connection option, now there is nothing there. I restarted my computer again, and was told the same thing, except this time there is no start-up tab at the lower left corner, or any taskbar at all. for me to restart the computer, i have to manually cut off the electricity. also, i couldn't open any files or restore my active desktop. There are also shaded files on my desktop from the runs with OTL. what should i do with those? is it ok for me to delete them?

NeonFx View Member Profile	Sep 20 2009, 07:32 PM Post #8
Malware Removal Dude Posts: 1,350 From: California OS: XP / Vista	Hi little_angel. I'm sorry to hear this has happened, there must be an infection on your system that I either missed, or cannot see, that is actively defending itself and the other infections on your system. Nothing in the fix I gave you can cause any of that. I will go over your logs once again and consult with my teacher about this. My teacher has left for the day so I will have a new fix for you sometime tomorrow morning my time. In the meantime, could you attempt to boot into safemode and let me know if you can see your taskbar and run programs in that mode? To boot into SafeMode you need to repeatedly press the F8 key on your keyboard as soon as you press the power button until a black and white menu comes up. Use your arrows and enter key to select SafeMode. Once it loads, log into your account and click on Yes when prompted if you wish to enter Safe Mode. Apart from that, try to leave the computer alone while I decide on our next move. This post has been edited by NeonFx: Sep 20 2009, 07:39 PM

little_angel View Member Profile	Sep 20 2009, 08:00 PM Post #9
New Member Posts: 8 OS: windows xp	When I entered into safemode, there is still the box that says "FOUND NEW HARDWARE WIZARD"-Welcome to the Found New HArdware Wizard...... Even in safemode, i still cannot find my Taskbar, still had the malwarebyte' run-time error '372'. still can't connect to the internet. when i clicked on the ie icon, it opens up but showed that it cannot connect to ms n homepage because it is not connected to the internet. When it was not in safemode, i got the error box telling me to report problem to microsoft. still can't connect to the internet. is it possible to revert back to the state my computer was in prior to running the last avz fix?

NeonFx View Member Profile	Sep 21 2009, 01:49 PM Post #10
Malware Removal Dude Posts: 1,350 From: California OS: XP / Vista	Hi again little_angel. Thank you for your patience. Let's try to recover your computer to an earlier state as you suggested. The easiest way to do this is: Boot your computer into Safe Mode Log into your account At the prompt asking you if you wish to continue into Safe Mode select "No" to open the System Restore applet. Follow the prompts to restore your computer to an earlier date. To ensure that everything works properly, you should select the very last time a system restore was made. This will begin the restore process and will reboot your machine when it is done. If you cannot get the System Restore applet to run, use your keyboard to open it by holding down the Windows Key and pressing "R". This will open a run dialog where you should type in the following: C:\windows\system32\restore\rstrui.exe And press Enter to run the applet. If that doesn't work, try restoring to an even earlier time. When your computer restarts, and if this solved our problem, please: Open OTL.exe and run a scan by clicking on the Quick Scan button at the top. Copy and Paste the results of this scan here. Also, I will need to know the exact Make and Model for your system. We may have to obtain the necessary drivers to reinstall your network device. The "Found New Hardware" wizard is probably attempting to reinstall your networking device. Let it attempt to automatically find the drivers for the device the next time you see it. If it is not able to we will have to do so manually.

little_angel View Member Profile	Sep 21 2009, 04:03 PM Post #11
New Member Posts: 8 OS: windows xp	Hi, I tried to turn on my computer but instead of turning on, there's this eeeeeeeeeee sound coming from the machine and nothing comes up. the computer is a Dell 2400.

little_angel View Member Profile	Sep 21 2009, 04:14 PM Post #12
New Member Posts: 8 OS: windows xp	I got the computer to power up. however, it won't let me go to safemode option when i pressed f8. instead, it goes directly to the desktop. the found new hardware box popped up. i chose the "find hardware this time" option. It found a hardware "UNKNOWN" and asks me to install the CD that comes with the drive but i'm not sure what that is.

little_angel View Member Profile	Sep 21 2009, 08:43 PM Post #13
New Member Posts: 8 OS: windows xp	I was able to get my computer into safemode, but when i chose to run system restore instead of safemode, it tells me to restart my computer and says that restore will not protect my computer. btw, my computer is a Dell Dimension 2400, running on XP pro service pack 3 I've been trying to run system restore, but either in safemode or normal, i keep getting a box saying "system restore is not able to protect your computer. Please restart your computer, and then run system restore again." This post has been edited by little_angel: Sep 21 2009, 08:47 PM

NeonFx View Member Profile	Sep 22 2009, 12:00 PM Post #14
Malware Removal Dude Posts: 1,350 From: California OS: XP / Vista	I'm very sorry to say this little_angel, but what you are describing, especially the continuous beeping sound when you turn your computer on, is a definite sign of a hardware malfunction that actually has nothing to with malware. You computer must have been right on the edge of its life when we started treating this as a virus problem, and will probably fail soon regardless of what we do. I strongly suggest that you take your computer into a shop as there is nothing else I can do to troubleshoot your situation. Hardware issues such as the one you describe are extremely difficult to troubleshoot over the internet as they require opening up your computer and replacing/testing different parts of it. If after taking it to the shop and getting the hardware problem fixed, you wish to continue analyzing your computer for malware, feel free to send me a private message to reopen this topic once it's closed.

Essexboy View Member Profile	Sep 26 2009, 06:55 AM Post #15
GeekU Moderator Posts: 19,166 From: Darkest Cornwall OS: Vista Ultimate & Windows 7	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Infected with Trojan.Vundo [CLOSED]	6 / 223	18th December 2005 - 01:06 PM derdy started - last by Excal
Virus, Spyware and Trojan Removal Infected with Virtumonde/Vundo [Closed]	3 / 116	3rd May 2009 - 04:40 PM chitown4lyfe started - last by fenzodahl512
Virus, Spyware and Trojan Removal Was infected with Trojan Vundo and hobolaku (and more, I think) [Solve	11 / 341	2nd May 2009 - 01:52 AM Cougar1966 started - last by fenzodahl512
Virus, Spyware and Trojan Removal Rtvscan.exe uses 100% CPU and infected with Trojan.Vundo [Solved] 12	15 / 306	7th October 2009 - 12:40 PM BuzzBoy22 started - last by hammerman