Thread: Please help me! I can't remove Trojan.Vundo from my PC!
View Single Post
  #7 (permalink)  
Old 07-05-2009, 06:59 PM
jada21 jada21 is offline
Junior Member
D-A-L Newbie
  
Join Date: Apr 2008
Posts: 22
jada21 Is a beginner here at D-A-L
Re: Please help me! I can't remove Trojan.Vundo from my PC!
Hiya

Here is my Combo Fix log:-

ComboFix 09-05-07.01 - Compaq_Owner 07/05/2009 18:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.253 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Owner\protect.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.d ll
c:\windows\system32\drivers\eaeb240e.sys
c:\windows\system32\drivers\ovfsthrkuwyjygstseimwi sjapvaisbefmnuib.sys
c:\windows\system32\ovfsthcupwdoaethebkkjceklnryln tnukoeem.dll
c:\windows\system32\ovfstherbqxlonxlvunuexbmfrqjhv ribbgiqe.dat
c:\windows\system32\ovfsthfaotppljcxaljxnouspujiom rxjlcydq.dll
c:\windows\system32\ovfsthqljggaxxjufgvehblyrjijgk xdpyamkd.dat
c:\windows\system32\ovfsthtjqyfjyvblrnspryfxuiylsk qsugfott.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\At1.job
D:\Autorun.inf
c:\windows\system32\fdwbplx.dll . . . . failed to delete
c:\windows\system32\mjpcdiez.dll . . . . failed to delete

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthltohghntycaxjejqrpqvonmiccnkferd
-------\Legacy_mciobqyw
-------\Service_eaeb240e
-------\Service_mciobqyw


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-07 17:29 . 2009-05-07 17:29 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\zatdzknq
2009-05-07 17:29 . 2009-05-07 17:29 -------- d-----w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\zatdzknq
2009-05-07 17:18 . 2009-05-07 17:18 -------- d-----w c:\documents and settings\NetworkService\Application Data\zatdzknq
2009-05-07 17:18 . 2009-05-07 17:18 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\zatdzknq
2009-05-06 22:22 . 2009-05-07 17:29 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-01 17:43 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 17:43 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 22:46 . 2009-04-29 22:46 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-04-29 22:43 . 2009-04-29 22:43 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 22:43 . 2009-05-01 17:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-07 17:50 . 2004-08-04 12:00 143872 ----a-w c:\windows\system32\mjpcdiez.dll
2009-05-07 17:50 . 2004-08-04 12:00 104960 ----a-w c:\windows\system32\qemmpqy.dll
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-02 22:54 . 2004-08-04 12:00 28624 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-03-02 22:54 . 2009-03-02 22:54 536 ----a-w c:\windows\eReg.dat
2009-02-22 21:18 . 2009-02-22 21:11 256 ----a-w c:\windows\system32\pool.bin
2009-02-20 08:30 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-08-04 12:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 15:27 . 2009-02-09 15:27 61480 ----a-w c:\documents and settings\Compaq_Owner\GoToAssistDownloadHelper.exe
2009-02-09 15:27 . 2009-02-09 15:27 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-07 02:27 . 2008-12-29 11:28 0 ----a-w c:\documents and settings\Family Computer\Local Settings\Application Data\prvlcl.dat
2008-09-21 20:31 . 2008-09-21 20:31 389203 ----a-w c:\program files\CE.dll
2008-09-21 20:31 . 2008-09-21 20:31 144656 ----a-w c:\program files\WebLink.dll
2008-09-21 20:31 . 2008-09-21 20:31 1103120 ----a-w c:\program files\Synchronize.dll
2008-08-08 21:14 . 2008-08-08 21:14 66371 ----a-w c:\program files\BlackBerry_Desktop_Software_Help.chm
2008-08-08 21:14 . 2008-08-08 21:14 5319 ----a-w c:\program files\readme.txt
2008-05-15 18:05 . 2008-05-15 18:05 59904 ----a-w c:\program files\zlib1.dll
2008-05-15 18:05 . 2008-05-15 18:05 172032 ----a-w c:\program files\mimepp_core.dll
2008-05-15 18:05 . 2008-05-15 18:05 4456 ----a-w c:\program files\configurationupgrade.xml
2008-05-15 18:05 . 2008-05-15 18:05 4300 ----a-w c:\program files\conn_install.cfg
2008-05-15 18:05 . 2008-05-15 18:05 2256896 ----a-w c:\program files\ilsync.dll
2008-05-15 18:05 . 2008-05-15 18:05 1483 ----a-w c:\program files\configurationupgrade.dtd
2008-05-15 18:05 . 2008-05-15 18:05 10424 ----a-w c:\program files\System.dtd
2008-05-15 18:05 . 2008-05-15 18:05 26694 ----a-r c:\program files\blackberry.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f77c8e5-9230-4631-b63e-a343cb858e06}]
2009-05-07 17:50 143872 ----a-w c:\windows\system32\mjpcdiez.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15aebf3b-abd5-4570-bf88-4e8f30997a10}]
2004-08-04 12:00 104960 ------w c:\windows\system32\fdwbplx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-01-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 17:27 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 wywjlmtq;wywjlmtq;c:\windows\system32\drivers\wywj lmtq.sys [04/08/2004 13:00 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/10/2008 15:21 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/10/2008 15:21 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/10/2008 15:21 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/10/2008 15:21 298264]
S2 Aniptjoiz;Aniptjoiz;c:\windows\System32\svchost.ex e -k netsvcs [04/08/2004 13:00 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Aniptjoiz
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\At2.job
- c:\windows\system32\fdwbplx.dll [2004-08-04 12:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
HKLM-Run-6362 - C:\kggi.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pres ario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presar io&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pres ario&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: skills-arena.co.uk\www
Trusted Zone: skills-arena.com\www
Trusted Zone: skillsarena.co.uk\www
Trusted Zone: skillsarena.com\www
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\c6x4hwuf.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
************************************************** ************************
.
Completion time: 2009-05-07 18:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 17:54

Pre-Run: 120,548,450,304 bytes free
Post-Run: 120,483,721,216 bytes free

192 --- E O F --- 2009-04-16 23:19

Thxs!
Jx
Reply With Quote