Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Vundo.H Can only boot safemode. Help!

Started by lambchopmusic , Jan 02 2009 02:14 PM

  • Please log in to reply

#1
lambchopmusic
Posted 02 January 2009 - 02:14 PM

lambchopmusic

    New Member

  • Member
  • Pip
  • 2 posts
Hi Everyone! I'm new here and unfortunately need help. I stupidly installed a program that prompted I needed to update my Divx codecs. Shortly after Spybot caught it trying to change my system with C:\resycled\boot.com. When I denied the change I got the blue screen of death. I googled the problem and ended up installing and running Malwarebyte's Anti-Malware which cleaned 8 instances of Trojan.Vundo.H It still didn't help. I found that it also infected my other drives with a "resycle" sub-directory on each which I deleted and was replaced by "RECYCLER" subdirectories on each that are locked (these definitely weren't on these drives before). I did as many steps as possible in the "You Must Read This Before" post but I still can only boot in safemode. I am posting the hijackthis.log and uninstall_list.txt as recommended hoping that someone can please help me! I'm really concerned.

(UPDATE: Aw Man, I also infected my laptop by copying the logfiles onto a cd from the infected desktop to post here. This really sucks! I ran Malaware on my laptop and since it can access the internet did the updates first. Hopefully that will help.)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:23 PM, on 1/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\1Trojan Problems\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....48&clcid=0x0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EAD9E7C9-E10D-4839-91D0-795040FB998F} - C:\WINDOWS\system32\fccabcBu.dll (file missing)
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA7724] command /c del "c:\resycled\boot.com"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5176] cmd /c del "c:\resycled\boot.com"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\RunOnce: [SpybotDeletingB9117] command /c del "c:\resycled\boot.com"
O4 - HKCU\..\RunOnce: [SpybotDeletingD772] cmd /c del "c:\resycled\boot.com"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6301 bytes




Unistall_lst.txt

Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Ai Suite
Antares Autotune DX v4.12
Antares Tube VST v1.02
Apple Mobile Device Support
Apple Software Update
ARC System
ASAPI Update
a-squared Free 3.1
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Problem Report Wizard
AVG Free 8.0
AVIcodec (remove only)
AVIVO
BBE Sonic Maximizer 2.0 Full
Bonjour
Brainworx BX Digital VST v1.09
Celemony Melodyne v2.6.0.6 Studio Edition
Clean 4.0
Clean 4.01
CloneCD
CloneDVD 4.1.0.23
CloneDVD2
Delta
Diskeeper Lite
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Ripper Wizard
DVD X Copy Platinum 4.0.3
DVD X Rescue
DVDIdle Pro 5.9.8.5
DVDXCopy Platinum Upgrade
EPSON Printer Software
ERUNT 1.1j
ETF5.x
Finale 2008
FREQUAL-IZER
GlaceVerb 1.01
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
iTunes
Java™ 6 Update 11
Java™ 6 Update 6
Java™ 6 Update 7
JRAID
Kjaerhus Audio MPL-1 v1.02 VST
LabelEditor
Magic ISO Maker v5.3 (build 0221)
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Melodyne 3.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MyProfessionalBusinessCards
Native Instruments B4 v1.11
Native Instruments Guitar Rig v1.0.0.2
Nero PhotoShow Express
Nero Suite
Netscape Navigator (9.0.0.6)
Nomad Factory LM-662
NomadFactory Blue Tubes Dynamics Pack VST RTAS v3.1
PAS Spectrum Analyzer Pro v4.2.1
PC Probe II
Pinguin Audio Meter (remove only)
PowerQuest PartitionMagic 8.0
PSP Audioware Neon HR VST RTAS
PSP VintageWarmer2 2.1.4
QuickTime
RealPlayer
Rhapsody Player Engine
Sonnox Oxford Inflator Native VST v1.5.1
Sonnox Oxford Limiter Native VST v1.1.1
Sonnox Oxford R3 Dynamics Native VST v1.3.1
Sonnox Oxford R3 EQ Native VST v1.6.1
Sonnox Oxford Reverb Native VST v1.0
Sonnox Oxford TransMod Native VST v1.3.1
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steinberg Cubase SX 2
Steinberg DeClicker v1.21
Steinberg Denoiser v1.51
Steinberg Mastering Edition v1.0
Steinberg WaveLab 5.00a
Studio Buddy
Syncrosoft's License Control
TC.Works.Native.Bundle.v3.0.VST.WinAll-cRime
The Rosetta Stone
TMPGEnc DVD Author 3 with DivX Authoring
Total Commander (Remove or Repair)
URS Classic Console Strip Pro VST RTAS v1.0
URS Everything EQ Bundle v4.0
videosoft
Virtual Cable Tester
Waves API Collection
Waves L3 16
Waves Mercury Bundle
Waves SSL Collection v1.2
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip
WizooVerb W5 VST v1.0
XP Codec Pack

Edited by lambchopmusic, 02 January 2009 - 03:11 PM.

  • 0

Advertisements

#2
lambchopmusic
Posted 06 January 2009 - 06:29 PM

lambchopmusic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Is there a reason why noone has responded to my post?
  • 0

#3
Octagonal
Posted 07 January 2009 - 04:56 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
While we try to help everyone as quickly as possible, our malware team is vastly outnumbered by people needing help. Some of our experts work from the older topics towards the newer ones and some take on newer topics rather than older ones. We encourage the former practice, but that's not always practical.

Some of the helpers are more comfortable with certain infections and seek them out...still other helpers will look for the tougher infections to take on. This may explain, at least partially, the seemingly random nature of how topics are selected. We DO try to get to everyone in a timely manner, but as you've seen, the Malware Forum presents a pretty formidable workload for the number of staff members we have.

If your topic goes more than three days without a reply, post a link to your topic in The Waiting Room and a staff member will pick it up as soon as they can.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP