Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Vundo.H Issue

Started by gbaum , May 16 2009 06:04 PM

  • Please log in to reply

#1
gbaum
Posted 16 May 2009 - 06:04 PM

gbaum

    New Member

  • Member
  • Pip
  • 1 posts
I was asked to look at a laptop for someone and have been stuck for the last few hours on one remaining issue. Malwarebytes found 100ish issues and was able to resolve most of them. There are four remaining that I cannot seem to resolve. It comes down to some seemingly empty registry entries that cannot be deleted. Over the last few hours I have attempted just about everything I could research that made sense to no avail. Removal tools as well as manual removal procedures. I had two .dll files that could not be deleted due to access denied results. I was following an article that proposed creating an empty file and using the Windows recovery procedure to replace them with the empty file. I did this and re-ran Malwarebytes and it still could not delete them, just a constant mark for deletion on reboot and it was never deleted. I finally was able to delete change the attributes on the file within the recovery tool and finally remove the files themselves, but I seem to be stuck with the registry entries.

Following is the most recent malwarebytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2142
Windows 5.1.2600 Service Pack 3

5/16/2009 6:26:55 PM
mbam-log-2009-05-16 (18-26-55).txt

Scan type: Quick Scan
Objects scanned: 90256
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f08a6e57-eb60-4b0c-ab88-dbc108dcf991} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\peksyusg (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f08a6e57-eb60-4b0c-ab88-dbc108dcf991} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\vbikbgf.dll (Trojan.Vundo.H) -> Delete on reboot.





Looking through topics and suggestions here I have also downloaded:

VundoFix.exe (nothing found)

VundoFix V7.0.6
Scan started at 6:27:33 PM 5/16/2009
Listing files found while scanning....
No infected files were found.


and VirtumundoBegone (nothing found also)

[05/16/2009, 19:32:16] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\testuser\Desktop\VirtumundoBeGone.exe" )
[05/16/2009, 19:32:21] - Detected System Information:
[05/16/2009, 19:32:21] - Windows Version: 5.1.2600, Service Pack 3
[05/16/2009, 19:32:21] - Current Username: testuser (Admin)
[05/16/2009, 19:32:21] - Windows is in NORMAL mode.
[05/16/2009, 19:32:21] - Searching for Browser Helper Objects:
[05/16/2009, 19:32:21] - BHO 1: {f08a6e57-eb60-4b0c-ab88-dbc108dcf991} ()
[05/16/2009, 19:32:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/16/2009, 19:32:21] - Checking for HKLM\...\Winlogon\Notify\vbikbgf
[05/16/2009, 19:32:21] - Key not found: HKLM\...\Winlogon\Notify\vbikbgf, continuing.
[05/16/2009, 19:32:21] - Finished Searching Browser Helper Objects
[05/16/2009, 19:32:21] - Finishing up...
[05/16/2009, 19:32:21] - Nothing found! Exiting...



Right or wrong, I have downloaded and run ComboFix as well, but at this point I will stop and await any suggestions. Here is the log from this:

ComboFix 09-05-16.04 - testuser 05/16/2009 17:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.557 [GMT -4:00]
Running from: c:\documents and settings\testuser\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 20:48 . 2009-05-16 20:48 61440 ----a-w c:\windows\system32\drivers\jehpw.sys
2009-05-16 19:26 . 2009-05-16 19:43 2080 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-16 18:48 . 2009-05-16 18:48 33360 ----a-w c:\documents and settings\testuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 18:48 . 2009-05-16 19:33 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-16 18:41 . 2009-05-16 18:41 -------- d-----w c:\documents and settings\testuser\Local Settings\Application Data\Downloaded Installations
2009-05-16 18:35 . 2009-05-16 18:35 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-05-16 18:14 . 2009-05-16 18:14 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-16 14:14 . 2009-05-16 14:14 -------- d-----w c:\documents and settings\testuser\Application Data\Malwarebytes
2009-05-16 14:14 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-16 14:14 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 14:14 . 2009-05-16 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-16 14:14 . 2009-05-16 14:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 13:58 . 2009-05-16 13:59 -------- d-----w c:\documents and settings\testuser\Local Settings\Application Data\Adobe
2009-05-16 12:22 . 2009-05-16 12:22 -------- d-----w c:\documents and settings\testuser\Application Data\jkqfuixl
2009-05-16 12:22 . 2009-05-16 12:22 -------- d-----w c:\documents and settings\testuser\Local Settings\Application Data\jkqfuixl
2009-05-16 08:10 . 2004-08-04 00:56 577024 ----a-w c:\windows\system32\user32.dll
2009-05-16 04:22 . 2009-05-16 04:22 -------- d-----w c:\documents and settings\testuser\Local Settings\Application Data\Apple Computer
2009-05-16 04:22 . 2009-05-16 04:22 -------- d-----w c:\documents and settings\testuser\Application Data\GTek
2009-05-16 04:22 . 2009-05-16 04:22 -------- d-----w c:\documents and settings\testuser\Local Settings\Application Data\SupportSoft
2009-05-14 16:43 . 2009-05-16 14:31 -------- d-----w c:\windows\system32\218538
2009-05-09 18:04 . 2009-05-09 18:04 190976 ----a-w C:\kinkerc.exe
2009-05-09 18:04 . 2009-05-09 18:04 46 ----a-w C:\p2hhr.bat
2009-05-09 18:04 . 2009-05-09 18:04 7680 ----a-w C:\pbouj.exe
2009-05-09 18:03 . 2009-05-09 18:03 22016 ----a-w C:\occda.exe
2009-05-09 18:03 . 2009-05-09 18:03 37376 ----a-w C:\slqpfq.exe
2009-05-02 16:34 . 2009-05-02 16:34 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-26 06:55 . 2009-04-26 06:55 -------- d-----w c:\documents and settings\christina bees\Application Data\PC-FAX TX
2009-04-26 06:53 . 2009-04-26 06:53 -------- d-----w c:\documents and settings\christina bees\Application Data\ScanSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 20:48 . 2009-05-16 20:48 666 ----a-w c:\program files\zlrjabfv.txt
2009-05-16 19:43 . 2009-05-16 19:26 1244 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-14 17:16 . 2006-02-22 05:34 33360 ----a-w c:\documents and settings\christina bees\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 06:31 . 2009-05-11 06:31 0 ----a-w c:\windows\system32\anefanim.tmp
2009-05-09 18:04 . 2005-08-16 10:18 14336 ----a-w c:\windows\system32\svchost.exe
2009-05-01 04:34 . 2009-02-01 04:34 50688 --sha-w c:\windows\system32\misahavu.exe
2009-04-26 06:40 . 2008-12-08 16:25 50 ----a-w c:\windows\system32\bridf06a.dat
2009-04-25 20:20 . 2009-01-25 20:20 50688 --sha-w c:\windows\system32\kahasuha.exe
2009-04-21 14:46 . 2009-01-21 14:46 52736 --sha-w c:\windows\system32\gevumabo.exe
2009-03-27 12:48 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\bafosimo.exe
2009-03-27 00:47 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\desiyizi.exe
2009-03-23 18:14 . 2005-08-17 02:54 -------- d-----w c:\program files\GemMaster
2009-03-22 20:01 . 2006-02-24 05:27 3766 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-22 20:01 . 2006-02-24 05:27 56 --sh--r c:\windows\system32\5305BDB36B.sys
.

------- Sigcheck -------

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2004-08-10 11:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2004-08-04 00:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\system32\user32.dll
[-] 2009-05-02 16:34 578560 EAA38B4BDB964CC8E373B161BC09859E c:\windows\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f08a6e57-eb60-4b0c-ab88-dbc108dcf991}]
c:\windows\system32\vbikbgf.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-14 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-23 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-17 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-13 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\peksyusg]
vbikbgf.dll [BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\tmproxy.exe"=
"c:\\WINDOWS\\system32\\wpgldfsh.scr"=

R0 xlktdmpm;xlktdmpm;c:\windows\system32\drivers\xlktdmpm.sys [8/16/2005 6:18 AM 23424]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 6:36 PM 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 6:36 PM 36368]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 6:36 PM 290889]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 6:36 PM 585792]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 6:36 PM 262215]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/13/2006 8:22 PM 29744]
S3 MUD;Driver for Magellan Jupiter USB Device;c:\windows\system32\drivers\MUD.sys [1/22/2008 2:50 PM 55808]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xvsdnjil
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 17:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1016)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
Completion time: 2009-05-16 17:49
ComboFix-quarantined-files.txt 2009-05-16 21:49
ComboFix2.txt 2009-05-16 21:08
ComboFix3.txt 2009-05-16 15:42

Pre-Run: 37,358,501,888 bytes free
Post-Run: 37,346,492,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

181 --- E O F --- 2009-03-17 17:01





Thanks for any help that can be provided.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP