Home > Trojan Vundo > Trojan VUNDO; HJT Log Attached

Trojan VUNDO; HJT Log Attached

Sign Up All Content All Content Advanced Search Browse Forums Guidelines Staff Online Users Members More Activity All Activity My Activity Streams Unread Content Content I Started Search More Malwarebytes.com Malwarebytes Using the site is easy and fun. Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8f17a5d5-55a3-4f3c-b19f-2d70cd5ab1cf}" deleted successfully. Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. navigate here

That may cause it to stall**Hi thereI think I've finally just managed to remove the Vundo infection. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. When the tool is finished, it will produce a report for you. Here is the HJT Log Logfile of HijackThis v1.99.1 Scan saved at 11:55, on 2007-05-28 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe

Jan 10, 2008 #6 tredders TS Rookie Topic Starter I've followed the instructions above, but I'm now getting reboots of Windows XP, with a popup saying "lsass.exe Object Name not Found". However, when I try to end the Print Spooler Service, HJT tells me it's not found ("Service 'Print Spooler Service' was not found in the Registry. badluckmonday Posts: 37Joined: Mon Mar 02, 2009 9:41 am Top by badluckmonday » Tue Mar 03, 2009 4:44 am Script file read successfully.

  • Post each log in separate post.
  • HJT Log - Trojan Vundo?
  • C:\WINDOWS\system32\txnjme.exe C:\WINDOWS\system32\gebcd.dll Reboot into normal mode and rehide your protected OS files.
  • This will create a VundoFix folder on your desktop.
  • Now, I've booted in safe mode and run the Symantec Vundo removal tool, but it reports that the virus isn't present.
  • Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [Advanced

Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. The suspicious files it picked up from the system32 folder were actually removed by vundofixer or whatever it is called. Mark. (Moderator edit: Posts merged.

I fixed the problems found with MB but I'm positive there are some leftovers. The fix will tell you to shutdown using the Power button. Local Service Temporary Internet Files folder emptied. Thanks Mark.

Thanks, Muzik muzikmonkee, Jun 12, 2007 #14 Cheeseball81 Moderator Joined: Mar 3, 2004 Messages: 84,310 Please try it in Safe Mode Cheeseball81, Jun 13, 2007 #15 Sponsor This So I downloaded it on a clean PC, saved the file onto a flash drive and then saved it to the infected PC. Quads mo Norton Fighter25 Reg: 18-Aug-2008 Posts: 1,772 Solutions: 3 Kudos: 234 Kudos0 Re: Help with Vundo Trojan Posted: 02-Feb-2010 | 5:22PM • Permalink I trust Quads and have watched him The scan found over 200 affected registry files but could not delete these.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. In the Processes group click ALL In the Win32 Services group click ALL In the Driver Services group click ALL In the Registry group click ALL In the Files Created Within Post the vundofix.txt file from the vundofix folder into as well. Username Forum Password I've forgotten my password Remember me This is not recommended for shared computers Sign in anonymously Don't add me to the active users list Privacy Policy

Log

Make a fresh RSIT log. check over here File delete failed. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. It looks as though the machine is finally clear of the damned virus!

I did some research and eventually used SUPERAntiSpyware which quite a bit of Vundo files. Please download The Avenger by Swandog46 to your Desktop. Sign In Sign In Remember me Not recommended on shared computers Sign in anonymously Sign In Forgot your password? his comment is here Quads 800midori19 Contributor4 Reg: 01-Feb-2010 Posts: 13 Solutions: 0 Kudos: 0 Kudos0 Re: Help with Vundo Trojan Posted: 02-Feb-2010 | 1:14PM • Permalink Hi Quads, I am running HijackThis as you

Please give me some time to analyze your log, and I will post back with instructions ASAP. Attempting to delete C:\WINDOWS\system32\ycbeg.ini2 C:\WINDOWS\system32\ycbeg.ini2 Has been deleted! O4 - HKCU\..\Run: [adobemgr] C:\WINDOWS\system32\adobemgr.exe Reboot and post another Hijack This log please.

Attached Files: WinPFind3.Txt File size: 163.8 KB Views: 13 muzikmonkee, Jun 10, 2007 #12 Cheeseball81 Moderator Joined: Mar 3, 2004 Messages: 84,310 Open the WinPFind3u folder and double-click on WinPFind3U.exe to

This is a discussion on HJT Log - Trojan Vundo? Malware is scanning on the infected machine now and has so far found 21 infected objects. C:\Documents and Settings\User1\Local Settings\Application Data\Mozilla\Firefox\Profiles\84sf4f64.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. EDIT AGAIN: Looks good - no pop-ups anymore, and the dreaded gebcd.dll has gone.

Then clean install the New Version so that there will be no conflicting. So I downloaded it on a clean PC, saved the file onto a flash drive and then saved it to the infected PC. Mark. weblink That may cause it to stall** Back to top #4 Tredders Tredders Topic Starter Members 2 posts OFFLINE Local time:05:40 AM Posted 12 January 2008 - 10:16 AM Hello Tredders,Please

C:\Documents and Settings\User1\Local Settings\Application Data\Mozilla\Firefox\Profiles\84sf4f64.default\XUL.mfl moved successfully. Password Site Map Posting Help Register Rules Today's Posts Search Site Map Home Forum Rules Members List Contact Us Community Links Pictures & Albums Members List Search Forums Show Threads My Anti Spyware Post your problems with Spyware, Hijackers, Trojans... Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.

Run OTmoveIt3, copy,then paste the following text in "Paste Instructions for Items to be Moved" window (under the yellow bar): Code: Select all:Processes
explorer.exe

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

After the restart, it creates a log file that should open with the results of Avenger’s actions. Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [Advanced patrik Site Admin Posts: 9290Joined: Sun Jan 08, 2006 1:11 pm Top by badluckmonday » Tue Mar 03, 2009 4:44 am ========== COMMANDS ========== File delete failed. O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file) O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

Free Antispyware: HijackThis, AdwCleaner, JRT, Combofix, Super Antispyware, Malwarebytes Anti-malwareInstructions: Show hidden files, Reboot in Safe Mode, How to backup Windows registry------------------------------Follow us on Facebook. C:\WINDOWS\system32\UACvmllkokm.dat (Trojan.Agent) -> Quarantined and deleted successfully. I did a full system scan using Norton Internet Security full in Safe Mode. or read our Welcome Guide to learn how to use this site.

Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [Advanced