I'm new to this forum and quite a newbie in PC's but I've read some articles in this forum
and found many people satisfied with results after disclosing their problems with the experts
here... in which I hope somebody could also help me with my problem.
My PC running in XP has been infected with Trojan:win32/Vundo.gen!A in which I
could have gotten from key generators(?) 2 days ago.
It first damaged Virgin Media Broadband's PC guard, in which when I looked at the
Task Manager some annoying filenames appeared which replaced the original files;
e.g. from Broadbandadvisor.exe to Boardbandadvisor .exe --> with extra space(s) before the .exe
Other programs that automatically boot on startup (e.g. mmtask.exe, qttask.exe, jusched.exe)
are having the same issues and I found the annoying files residing in the same folders as the
original files. I've tried deleting them but after restart they just would come back to life again.
I've tried using Spybot Search & Destroy, AVG Anti-Spyware, AVG Anti-Rootkit, & Trend Micro
Housecall but they seem to fail to detect the problem.
I would want to install AVG-Antivirus and/or Ad-Aware to try to remove the trojan but I
couldn't proceed as there is a conflict with Virgin's PC guard which I couldn't uninstall. It said
somewhat like it needed rebooting for uninstallation to take place but when I did, it still
couldn't be removed... I don't know why.
I tried Windows Live Onecare Scan and it detected the problem but couldn't remove the trojan.
I have disabled System Restore before doing the scan.
There were 8 items (.dlls) affected based on the scan report:
tuvuvuu.dll nnnlkhe.dll
ssqonnl.dll ddcbcax.dll
nnnnkif.dll cbxyvss.dll
gebcded.dll nnnlihi.dll
I currently don't have any internet security since the PC guard is down, and I had to uninstall
AVG Anti-Sypware since the annoying file-rename issue has affected it's program... and I don't
know how long again until another damage is added by this trojan.
I have followed the initial steps as stated in You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide and did Vundofix and Hijackthis scans. Sorry, if I did repetitive Vundofix runs. Below are the logs.
Vundofix Log:
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.11
Scan started at 20:20:46 24/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtr.exe
C:\WINDOWS\system32\cbxyvss.dll
C:\WINDOWS\system32\ddcbcax.dll
C:\WINDOWS\system32\gebcded.dll
C:\windows\system32\nnnlihi.dll
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2
C:\windows\system32\ssqonnl.dll
C:\WINDOWS\system32\tuvuvuu.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awvtr.exe
C:\WINDOWS\system32\awvtr.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxyvss.dll
C:\WINDOWS\system32\cbxyvss.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcbcax.dll
C:\WINDOWS\system32\ddcbcax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebcded.dll
C:\WINDOWS\system32\gebcded.dll Has been deleted!
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rtvwa.ini2
C:\WINDOWS\system32\rtvwa.ini2 Has been deleted!
Attempting to delete C:\windows\system32\ssqonnl.dll
C:\windows\system32\ssqonnl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvuvuu.dll
C:\WINDOWS\system32\tuvuvuu.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.7.7
Checking Java version...
Scan started at 21:42:13 24/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtr.exe
C:\windows\system32\nnnlihi.dll
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awvtr.exe
C:\WINDOWS\system32\awvtr.exe Has been deleted!
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rtvwa.ini2
C:\WINDOWS\system32\rtvwa.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.7.7
Checking Java version...
Scan started at 00:21:43 25/12/2007
Listing files found while scanning....
C:\windows\system32\mllmn.dll
C:\WINDOWS\system32\mllmn.exe
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini2
C:\windows\system32\nnnlihi.dll
Beginning removal...
Attempting to delete C:\windows\system32\mllmn.dll
C:\windows\system32\mllmn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllmn.exe
C:\WINDOWS\system32\mllmn.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nmllm.ini2
C:\WINDOWS\system32\nmllm.ini2 Has been deleted!
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Scan started at 06:52:15 25/12/2007
Listing files found while scanning....
C:\windows\system32\nnnlihi.dll
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.7.7
Checking Java version...
Scan started at 07:47:17 25/12/2007
Listing files found while scanning....
C:\windows\system32\nnnlihi.dll
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Scan started at 09:05:29 25/12/2007
Listing files found while scanning....
C:\windows\system32\nnnlihi.dll
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\nnnlihi.dll
C:\windows\system32\nnnlihi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:29, on 25/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...www.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\mllmn.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TimeSRTemp] "C:\Program Files\TimeSupportReg\TimeSRTemp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UStorag] c:\program files\belkin u-storage tools2.96\ustorage.exe sys_auto_run C:\Program Files\Belkin U-Storage Tools2.96
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ustorage] c:\documents and settings\owner\ustorage .exe sys_auto_run C:\Documents and Settings\OWNER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Search - ?p=ZCxdm341YYGB
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187958227187
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 6927 bytes
I would greatly appreciate any help you can give.
Thanks in advance.
Pawn (Paul)
Edited by pwncastle, 25 December 2007 - 12:13 PM.
Sign In
Create Account
