Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan. Vundo,Zbot,Agent,Bdoor bot,mal trace and Hijack userinit HELP


  • Please log in to reply

#1
Muffiinmum

Muffiinmum

    Member

  • Member
  • PipPip
  • 12 posts
OMG!!!!

Daughter was surfing, tells me pop up has appeared (didn't click it)
I knew immediately it was spyware abd did a MBAM update and scan.....
then noticed our AVG has simply disappeared???

I have :
trojan. vundo (tried to remove with vundo fix but came back)
Backdoor.bot
Trojan Zbot
Malware trace
trojan Agent
Hijack userinit.

have tried to do the clean up but won't let me do setup restore, root repeal or erunt (the RR report I got is as follows;

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/14 16:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
SYSENTER/INT2E Hooked [0x80541530]!

==EOF==

The pop up is Safe shield and has an icon on the task bar - red circle with white cross.
if I try to open AVG it initially says all is well and we are protected the changes screen and says nothing to initialise?

I hope someone can help, I have no idea how to start.

many thanks
  • 0

Advertisements


#2
Muffiinmum

Muffiinmum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
here is the MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3167
Windows 5.1.2600 Service Pack 3

11/14/2009 5:09:37 PM
mbam-log-2009-11-14 (17-09-37).txt

Scan type: Quick Scan
Objects scanned: 119770
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wmsbd4.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.

Files Infected:
C:\WINDOWS\wmsbd4.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Andrew\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\wpv001258147400.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv221257360344.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv671257455496.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv691257455496.exe (Trojan.Agent) -> Quarantined and deleted successfully.


hope this helps
Sharon
  • 0

#3
Muffiinmum

Muffiinmum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
have uninstalled AVG and reinstalled, despite downloading from Cnet, still had to do an update, Avg still says parts are outdated - I am guessing the virus is preventing a full download?

Still can't do system restore, rootrepeal starts then freezes.

isthis too awful and do I need to send it out to be fixed?

Thanks in advance,
Sharon
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP