Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vundo trojan, please help!

Started by Hawkwings , Jan 07 2008 01:16 AM

  • Please log in to reply

#1
Hawkwings
Posted 07 January 2008 - 01:16 AM

Hawkwings

    New Member

  • Member
  • Pip
  • 1 posts
First of all, I have read what I must read before posting a HijackThis log.

Problem symptoms:
on startup, I get several windows error messages saying that hgggd.exe or something cannot be loaded as said in the registry. Also, some other .dll file cannot be loaded either.

Internet Explorer starts by itself and tries going to about 12 different websites. I use Firefox BTW.

Anyways, here is said log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:22 PM, on 1/7/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
D:\Utilities\AVG Anti-Spyware 7.5\avgas.exe
D:\Utilities\avgcc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
D:\Utilities\Super\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Windows\system32\hgggd.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {457AC30C-A336-4E48-AA76-90D148C81BB8} - C:\Windows\system32\hgggd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Utilities\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] D:\UTILIT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\HAILIS~1\AppData\Local\Temp\cbxwx.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\hgggd.dll,c
O4 - HKCU\..\Run: [DDC] C:\Users\HAILIS~1\AppData\Local\Temp\hqwhpcad.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Utilities\Super\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\UTILIT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\UTILIT~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\UTILIT~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B32DDEB-26C4-4BDF-A336-36B261E64251}: NameServer = 10.0.0.1
O20 - Winlogon Notify: !SASWinLogon - D:\Utilities\Super\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Utilities\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\UTILIT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\UTILIT~1\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - D:\UTILIT~1\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\UTILIT~1\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Utilities\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Utilities\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Utilities\Perfectdisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utilities\Perfectdisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\Utilities\VMWare Workstation\vmware-ufad.exe
O23 - Service: UGS License Server (ugslmd) - Macrovision Corporation - C:\Program Files\UGS\UGSLicensing\lmgrd.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Utilities\VMWare Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

--
End of file - 7686 bytes


I have already tried using VundoFix.exe and VirtumundoBeGone. The first one asks to remove it at startup, but after I reboot, it doesn't remove anything. The second one doesn't say anything is wrong.

Here is the VirtumundoBeGone log. I ran it twice.

[01/06/2008, 20:51:10] - VirtumundoBeGone v1.5 ( "D:\Downloads\VirtumundoBeGone.exe" )
[01/06/2008, 20:51:14] - Detected System Information:
[01/06/2008, 20:51:14] - Windows Version: 6.0.6000,
[01/06/2008, 20:51:14] - Current Username: Haili Sun (Admin)
[01/06/2008, 20:51:14] - Windows is in NORMAL mode.
[01/06/2008, 20:51:14] - Searching for Browser Helper Objects:
[01/06/2008, 20:51:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/06/2008, 20:51:14] - BHO 2: {07C5001E-5023-493A-A1C6-468BE1E28337} ()
[01/06/2008, 20:51:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2008, 20:51:14] - Checking for HKLM\...\Winlogon\Notify\hgggd
[01/06/2008, 20:51:14] - Key not found: HKLM\...\Winlogon\Notify\hgggd, continuing.
[01/06/2008, 20:51:14] - BHO 3: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
[01/06/2008, 20:51:14] - BHO 4: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (GetRight IE Download Helper)
[01/06/2008, 20:51:14] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2008, 20:51:14] - BHO 6: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
[01/06/2008, 20:51:14] - Finished Searching Browser Helper Objects
[01/06/2008, 20:51:14] - Finishing up...
[01/06/2008, 20:51:14] - Nothing found! Exiting...

[01/06/2008, 21:03:17] - VirtumundoBeGone v1.5 ( "D:\Downloads\VirtumundoBeGone.exe" )
[01/06/2008, 21:03:19] - Detected System Information:
[01/06/2008, 21:03:19] - Windows Version: 6.0.6000,
[01/06/2008, 21:03:19] - Current Username: Haili Sun (Admin)
[01/06/2008, 21:03:19] - Windows is in NORMAL mode.
[01/06/2008, 21:03:19] - Searching for Browser Helper Objects:
[01/06/2008, 21:03:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/06/2008, 21:03:19] - BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
[01/06/2008, 21:03:19] - BHO 3: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (GetRight IE Download Helper)
[01/06/2008, 21:03:19] - BHO 4: {676DAEF7-1A1E-49BA-B183-43305B93355A} ()
[01/06/2008, 21:03:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2008, 21:03:19] - Checking for HKLM\...\Winlogon\Notify\hgggd
[01/06/2008, 21:03:19] - Key not found: HKLM\...\Winlogon\Notify\hgggd, continuing.
[01/06/2008, 21:03:19] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/06/2008, 21:03:19] - BHO 6: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
[01/06/2008, 21:03:19] - Finished Searching Browser Helper Objects
[01/06/2008, 21:03:19] - Finishing up...
[01/06/2008, 21:03:19] - Nothing found! Exiting...


EDIT: since this hasn't been responded to yet, I tried some more fixes. I booted into safe mode and ran VundoFix.exe. It found 1 item, the hgggd.exe file, and tried to remove it. It told me to restart, so I restarted into safe mode again. This time it appeared to be successful, and the hgggd.exe file was no longer in the directory as seen in the hijackthis log. Also, as I was looking in the C:\Users\HAILIS~1\AppData\Local\Temp folder, AVG found two trojans and nuked them. I'm pretty sure they were the ones referenced in the logfile as well.

besides the windows warning messages, I haven't seen any more symptoms.

Edited by Hawkwings, 07 January 2008 - 07:37 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP