Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help. Accidentily downloaded a few trojans [CLOSED]

Started by Vedrix , Feb 28 2008 11:30 PM

  • This topic is locked This topic is locked

#1
Vedrix
Posted 28 February 2008 - 11:30 PM

Vedrix

    New Member

  • Member
  • Pip
  • 1 posts
Well I accidentily downloaded a few trojans this evening, onto a brand new computer... I downloaded the trojan from a website called dailykeys.com It was a file titled Marine Aquarium 2.6, I wanted to find a crack for a screensaver program. Once I downloaded this crack, and extracted it, it broke into three files on my computer called serial, keygen, and something else. I clicked on keygen I think and my computer immediately went into shutdown mode and saved settings. I tried to unplug the computer but wasn't fast enough.

I did a trend micro virus scan and it found both trojan_dlena and trojan_vundo. I used your vundo fix and it didn't work. I then used vundo begon and this was the log below. My attempt to use Hijack this did not work, it installed then wouldn't run. Now after about 1 hour trend micro online isn't running at all for me.


Also, every spyware remover and virus scan I've tried since isn't working, except Zone Alarm identified a virus that it couldn't remove titled not-a-virus(some form of Ad-Ware virus). Its infected my winlogon and is in windows/system32/efcbbcd.dll

I just want to reformat the entire computer, but my computer will not run the windows xp disc from startup. I went into the Bios and attempted to change the drive priority to put cdrom first, but still nothing.

My goal isn't to fix this computer at this point, its just to completely clean with a reformat, the key is getting there. Any help is greatly appreciated.


[02/29/2008, 0:09:36] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[02/29/2008, 0:09:40] - Detected System Information:
[02/29/2008, 0:09:40] - Windows Version: 5.1.2600, Service Pack 2
[02/29/2008, 0:09:40] - Current Username: Administrator (Admin)
[02/29/2008, 0:09:40] - Windows is in NORMAL mode.
[02/29/2008, 0:09:40] - Searching for Browser Helper Objects:
[02/29/2008, 0:09:40] - BHO 1: {45C2A50F-8F4A-496E-AF02-D0207525BF5A} ()
[02/29/2008, 0:09:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 0:09:40] - Checking for HKLM\...\Winlogon\Notify\efcbbcd
[02/29/2008, 0:09:40] - Found: HKLM\...\Winlogon\Notify\efcbbcd - This is probably Virtumundo.
[02/29/2008, 0:09:40] - Assigning {45C2A50F-8F4A-496E-AF02-D0207525BF5A} MSEvents Object
[02/29/2008, 0:09:40] - BHO list has been changed! Starting over...
[02/29/2008, 0:09:40] - BHO 1: {45C2A50F-8F4A-496E-AF02-D0207525BF5A} (MSEvents Object)
[02/29/2008, 0:09:40] - ALERT: Found MSEvents Object!
[02/29/2008, 0:09:40] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/29/2008, 0:09:40] - BHO 3: {BEBF520F-799F-4F78-873C-04922E6C6C79} ()
[02/29/2008, 0:09:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 0:09:40] - Checking for HKLM\...\Winlogon\Notify\pmkji
[02/29/2008, 0:09:40] - Key not found: HKLM\...\Winlogon\Notify\pmkji, continuing.
[02/29/2008, 0:09:40] - Finished Searching Browser Helper Objects
[02/29/2008, 0:09:40] - *** Detected MSEvents Object
[02/29/2008, 0:09:40] - Trying to remove MSEvents Object...
[02/29/2008, 0:09:41] - Terminating Process: IEXPLORE.EXE
[02/29/2008, 0:09:41] - Terminating Process: RUNDLL32.EXE
[02/29/2008, 0:09:41] - Disabling Automatic Shell Restart
[02/29/2008, 0:09:41] - Terminating Process: EXPLORER.EXE
[02/29/2008, 0:09:42] - Suspending the NT Session Manager System Service
[02/29/2008, 0:09:42] - Terminating Windows NT Logon/Logoff Manager
[02/29/2008, 0:09:42] - Re-enabling Automatic Shell Restart
[02/29/2008, 0:09:42] - File to disable: C:\WINDOWS\system32\efcbbcd.dll
[02/29/2008, 0:09:42] - Renaming C:\WINDOWS\system32\efcbbcd.dll -> C:\WINDOWS\system32\efcbbcd.dll.vir
[02/29/2008, 0:09:42] - File successfully renamed!
[02/29/2008, 0:09:42] - Removing HKLM\...\Browser Helper Objects\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
[02/29/2008, 0:09:42] - Removing HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
[02/29/2008, 0:09:42] - Adding Kill Bit for ActiveX for GUID: {45C2A50F-8F4A-496E-AF02-D0207525BF5A}
[02/29/2008, 0:09:42] - Deleting ATLEvents/MSEvents Registry entries
[02/29/2008, 0:09:42] - Removing HKLM\...\Winlogon\Notify\efcbbcd
[02/29/2008, 0:09:42] - Searching for Browser Helper Objects:
[02/29/2008, 0:09:42] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/29/2008, 0:09:42] - BHO 2: {BEBF520F-799F-4F78-873C-04922E6C6C79} ()
[02/29/2008, 0:09:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 0:09:42] - Checking for HKLM\...\Winlogon\Notify\pmkji
[02/29/2008, 0:09:42] - Key not found: HKLM\...\Winlogon\Notify\pmkji, continuing.
[02/29/2008, 0:09:42] - Finished Searching Browser Helper Objects
[02/29/2008, 0:09:42] - Finishing up...
[02/29/2008, 0:09:42] - A restart is needed.
[02/29/2008, 0:09:54] - Attempting to Restart via STOP error (Blue Screen!)

[02/29/2008, 0:11:56] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[02/29/2008, 0:11:58] - Detected System Information:
[02/29/2008, 0:11:58] - Windows Version: 5.1.2600, Service Pack 2
[02/29/2008, 0:11:58] - Current Username: Administrator (Admin)
[02/29/2008, 0:11:58] - Windows is in NORMAL mode.
[02/29/2008, 0:11:58] - Searching for Browser Helper Objects:
[02/29/2008, 0:11:58] - BHO 1: {3657DCB8-64E2-4C8A-913E-E37A101BE80C} ()
[02/29/2008, 0:11:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 0:11:58] - Checking for HKLM\...\Winlogon\Notify\pmkji
[02/29/2008, 0:11:58] - Key not found: HKLM\...\Winlogon\Notify\pmkji, continuing.
[02/29/2008, 0:11:58] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/29/2008, 0:11:58] - Finished Searching Browser Helper Objects
[02/29/2008, 0:11:58] - Finishing up...
[02/29/2008, 0:11:58] - Nothing found! Exiting...

[02/29/2008, 0:13:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[02/29/2008, 0:13:59] - Detected System Information:
[02/29/2008, 0:13:59] - Windows Version: 5.1.2600, Service Pack 2
[02/29/2008, 0:13:59] - Current Username: Administrator (Admin)
[02/29/2008, 0:13:59] - Windows is in NORMAL mode.
[02/29/2008, 0:13:59] - Searching for Browser Helper Objects:
[02/29/2008, 0:13:59] - BHO 1: {3657DCB8-64E2-4C8A-913E-E37A101BE80C} ()
[02/29/2008, 0:13:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 0:13:59] - Checking for HKLM\...\Winlogon\Notify\pmkji
[02/29/2008, 0:13:59] - Key not found: HKLM\...\Winlogon\Notify\pmkji, continuing.
[02/29/2008, 0:13:59] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/29/2008, 0:13:59] - Finished Searching Browser Helper Objects
[02/29/2008, 0:13:59] - Finishing up...
[02/29/2008, 0:13:59] - Nothing found! Exiting...

Edited by Vedrix, 28 February 2008 - 11:46 PM.

  • 0

Advertisements

#2
Essexboy
Posted 29 February 2008 - 12:16 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there, lets see if we can get you out of this quandary without a re-format. I will try 2 programmes if the first does not work then try the second. Please read the instructions first for the combofix , before downloading

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

IF THAT SHOULD FAIL

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - Approved Shell Extensions
    • Reg - BotCheck
    • Reg - File Associations
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
Essexboy
Posted 05 March 2008 - 02:42 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP