Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 4th, 2008, 2:57pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Cant remove Vundo? Help??		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Cant remove Vundo? Help??  (Read 1160 times)
vanishedsoul
Newbie
*





   


Gender: male
 Posts: 6
Cant remove Vundo? Help??
« on: Dec 5th, 2007, 6:20am »		 Quote Quote  Modify Modify
hi
 
i somehow got Vundo in my system and now it just won't let go. I have tried the following things and nothing has help so far:
 

  • formated my c: drive (installed fresh winxp)
  • TroganHunter
  • Spybot
  • kaspersky anti-virus
  • killbox (tried to delete the specific file)
  • VirtumundoBeGone
  • VundoFixs
  • Nortons removal tool for vundo

 
a few minutes ago, i can scanned my c: drive again with trojanhunter and found new ones. here they are
 
Generic.Vundo.A
Generic.Vundo.B
Obfuscated.324
 
these are the infected files according to trojanhunter:
 
--Found trojan file: C:\Documents and Settings\Gangsta\Local Settings\Temp\fiwcoeqd.exe (Obfuscated.324)
--Found trojan file: C:\Documents and Settings\Gangsta\Local Settings\Temp\yvhgxgnv.exe (Obfuscated.324)
--Found trojan file: C:\WINDOWS\system32\cymxamvm.dll (Generic.Vundo.A)
--Found trojan file: C:\WINDOWS\system32\eabgioqm.dll (Generic.Vundo.B)
--Found trojan file: C:\WINDOWS\system32\gebcd.dll (Generic.Vundo.B)
 
it was able to quarantined fiwcoeqd.exe, yvhgxgnv.exe and cymxamvm.dll but failed for the following to quarantine these eabgioqm.dll and gebcd.dll. (i have never been able to del gebcd.dll from the system through killbox and its constantly there)
 
Spybot say that i got these three entries in my registry:
 
Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1078081533-725345543-1003\Software\Micros oft\rdfa
 
Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
 
Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1078081533-725345543-1003\Software\Micros oft\aldd
 
here is fresh hijackthis log:
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:51 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Net Softwares\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Special Softwares\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [98b4d72d] rundll32.exe "C:\WINDOWS\system32\eabgioqm.dll",b
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
 
--
End of file - 3326 bytes
 
 
Please help, even a simple "hello" will be appreciated  Cool ... thanks in advance
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Cant remove Vundo? Help??
« Reply #1 on: Dec 5th, 2007, 6:50am »		 Quote Quote  Modify Modify
Welcome to the forum vanishedsoul  Cheesy
 
It sounds like you have been pulling your hair out trying to kill this critter.  Let's see what we do.  It may take a few trials.
 
I have three quick questions.  These are to just let me know what the playing field is before we start.
 
1.  Are you a licensed user of Kaspersky?  If so, is there any reason you have not updated to V7.0 which is a free upgrade for licensed users?  It is a more powerful engine.
 
2.  Are you running the Trial version of TrojanHunter?  And did you download the latest rulesets for detection?
 
3.  Did you scan with TrojanHunter while in SAFE MODE?
 
« Last Edit: Dec 5th, 2007, 6:52am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
vanishedsoul
Newbie
*





   


Gender: male
 Posts: 6
Re: Cant remove Vundo? Help??
« Reply #2 on: Dec 5th, 2007, 12:30pm »		 Quote Quote  Modify Modify
hey thanks for replying, atleast someone replied than other forums.
 
ok, about kaspersky, no i'm not a registered user. I'm using the trail version because of this trojan. I have shifted from avast because it was not even detecting the trojan and the same thing is happening with the kaspersky.
 
and about scanning the system in safe mode with trojanhunter, i just did it and found these two:
 
Found trojan file: C:\Program Files\Special Softwares\TrojanHunter 5.0\Quarantine\hZEtgcX2.dat (Generic.Vundo.B)
 
Found trojan file: C:\WINDOWS\system32\gebcd.dll (Generic.Vundo.B)
 
then the cleaning process yield this:
 
Quarantined file C:\Program Files\Special Softwares\TrojanHunter 5.0\Quarantine\hZEtgcX2.dat
Unable to quarantine file C:\WINDOWS\system32\gebcd.dll: Scheduling file to be quarantined when computer is restarted
Trojan cleaning finished
 
 
After booting my system to normal state, i got this error message on startup (this is the first time i got this message)
 
"Error loading c:\windows\system32\eabgioqm.dll
The specified module could not be found."
 
I rescaned my c: drive with trojanhunter and again that ****** is still there:
 
Found trojan file: C:\WINDOWS\system32\gebcd.dll (Generic.Vundo.B)
 
 
here is a fresh HJT log, incase you need it
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:00 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Net Softwares\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Special Softwares\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [98b4d72d] rundll32.exe "C:\WINDOWS\system32\wexxiqji.dll",b
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
 
--
End of file - 3380 bytes
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Cant remove Vundo? Help??
« Reply #3 on: Dec 5th, 2007, 1:02pm »		 Quote Quote  Modify Modify
Okay,
 
Would you please do the following:
 
Make all your files and folders visible
 
-  The link below describes how to do this
 
http://www.misec.net/forum/board/FAQ/1139610900
 
Submit the following file to Mischel Internet Security
 
wexxiqji.dll
 
-  The file is in your C:\Windows\System32 folder.
 
-  The link below defines how to submit a file
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Download ComboFix.exe
 
-  Save it on your desktop.  Do not execute it just yet.
 
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
Now do the following:
 
1.  Run another Hijackthis scan
 
2.  When the scan is completed, place a check mark in the box next to the following items.  Be sure these are the only items checked.
 

O1 - Hosts: 66.98.148.65 auto.search.msn.com
 
O1 - Hosts: 66.98.148.65 auto.search.msn.es
 
O4 - HKLM\..\Run: [98b4d72d] rundll32.exe "C:\WINDOWS\system32\wexxiqji.dll",b

 
3.  Click on Fix Checked in the lower left of the HJT window.  Confirm that you want HJT to fix these items and let it fix them
 
4.  Once the fixes are finished, close the HJT window.
 
5.  Double click combofix.exe on your desktop & follow the prompts.  
 
6.  When finished, it will produce a log for you. Post that log in your next reply  
 
Note:  
Do not mouseclick combofix's window while its running. That may cause it to stall
 
7.  Post a new Hijackthis log too.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
vanishedsoul
Newbie
*





   


Gender: male
 Posts: 6
Re: Cant remove Vundo? Help??
« Reply #4 on: Dec 5th, 2007, 1:40pm »		 Quote Quote  Modify Modify
i just scan the system with the Combofix...at the end of the scan when it was going to restart, got a BSD for some rdbss.sys. Then i manually restarted the system and after logging in got a new zip file on the system "catchme.zip" contained that nasty file "gebcd.dll". Can you kindly tell me where the combofix save the log because i cant get it
 
heres is the hijackthis log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39, on 2007-12-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Net Softwares\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Special Softwares\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Special Softwares\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B7A624D-8F65-417A-85AD-99D727265719} - C:\WINDOWS\system32\gebcd.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Audio & Video Softwares\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
 
--
End of file - 3869 bytes
IP Logged
vanishedsoul
Newbie
*





   


Gender: male
 Posts: 6
Re: Cant remove Vundo? Help??
« Reply #5 on: Dec 5th, 2007, 1:44pm »		 Quote Quote  Modify Modify
just uploaded the "wexxiqji.dll", anything special about itHuh
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Cant remove Vundo? Help??
« Reply #6 on: Dec 5th, 2007, 1:56pm »		 Quote Quote  Modify Modify
I think the combofix log is stored in your root directory C:.  
 
Quote:
just uploaded the "wexxiqji.dll", anything special about it
 
 
I'm confident this DLL is an infection that TH needs to detect.  Your submittal will permit Gavin/Magnus to incorporate the proper rules for detection/removal.  
« Last Edit: Dec 5th, 2007, 2:07pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Cant remove Vundo? Help??
« Reply #7 on: Dec 5th, 2007, 2:01pm »		 Quote Quote  Modify Modify
Your HJT log looks like ComboFix did some good work.  Please do this:
 
1.  Run another HJT scan.
 
2.  When the scan is completed, place a check mark in the box next to the item below.
 

O2 - BHO: (no name) - {1B7A624D-8F65-417A-85AD-99D727265719} - C:\WINDOWS\system32\gebcd.dll (file missing)
 
3.  Click on Fix Checked and let HJT fix this item.
 
4.  Close HJT
 
How is your system running now?
 
I assume these two IP addresses are your ISP, correct?
 
202.154.254.3
 202.154.235.35
« Last Edit: Dec 5th, 2007, 2:04pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
vanishedsoul
Newbie
*





   


Gender: male
 Posts: 6
Re: Cant remove Vundo? Help??
« Reply #8 on: Dec 5th, 2007, 2:01pm »		 Quote Quote  Modify Modify
ComboFix.txt just has this....something went wrong or was that all you wanted
 
 
ComboFix 07-12-02.6 - Gangsta 2007-12-06  0:31:25.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.691 [GMT 5:00]
Running from: C:\Documents and Settings\Gangsta\Desktop\ComboFix.exe
.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Cant remove Vundo? Help??
« Reply #9 on: Dec 5th, 2007, 2:05pm »		 Quote Quote  Modify Modify
I think you are all cleaned up now, so the combo log is not important at this point.  
 
You read my two posts just above your last one, correct?
« Last Edit: Dec 5th, 2007, 2:06pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
vanishedsoul
Newbie
*





   


Gender: male
 Posts: 6
Re: Cant remove Vundo? Help??
« Reply #10 on: Dec 5th, 2007, 2:23pm »		 Quote Quote  Modify Modify
ya  those are my isp's and my ips. Thanks a lot brother, you did it.
 
ok, now should i delete "catchme.zip" containing the "gebcd.ll"??
 
and also can you explain me a little what happened during all this process??
 
O1 - Hosts: 66.98.148.65 auto.search.msn.com
 
O1 - Hosts: 66.98.148.65 auto.search.msn.es  
 
A quick help from googled reveled that these are some kind of trojan dialers. And what is the function of ComboFix.exe?? After executing it, iy solved a problem with the ie explorer, it use to hang when i try to make an attachment at hotmail.com. Now , after the scan it worked fine??
 
Can you give me some kind of resources or links or any site so that i can myself analyze my hijackthis log and take measures against the trojans.
 
Thats all i think, its really very nice of you. I have posted on some other forums too but no one even bothered to reply there, thanks a lot again
 
here is the hijackthis log after fixing the key:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13, on 2007-12-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Net Softwares\Mozilla Firefox\firefox.exe
C:\Program Files\Special Softwares\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Special Softwares\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Audio & Video Softwares\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Drivers\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Special Softwares\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\SPECIA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPECIA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{38E53A87-4A2C-461A-8B2C-696E894AA77B} : NameServer = 202.154.254.3 202.154.235.35
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Special Softwares\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
 
--
End of file - 3760 bytes
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Cant remove Vundo? Help??
« Reply #11 on: Dec 5th, 2007, 2:56pm »		 Quote Quote  Modify Modify
U R most welcome  Wink
 
Quote:
ok, now should i delete "catchme.zip" containing the "gebcd.ll"??

 
If this zip file contains the actual gebcd.dll file, would you please submit it to Mischel Internet Security for analysis and for the creation of removal rules.  Just change the name from catchme.zip to gebcd.zip before you send it in.  It is okay to delete "catchme.zip/gebcd.zip" from your system.  
 
Quote:
O1 - Hosts: 66.98.148.65 auto.search.msn.com  
   
O1 - Hosts: 66.98.148.65 auto.search.msn.es  

 
One of the infections placed these into your HOSTS file at C:\Windows\System32\drivers\etc.  They are a malicious redirection invoked through the HOSTS file to your browser.  The HOSTS file is explained more at the bottom of the info at this link.  You should check your HOSTs file and make sure it is not further contaminated.  Keep in mind that Spybot does load info/data into this file.  
 
http://www.misec.net/forum/board/FAQ/1193817965
 
Quote:
And what is the function of ComboFix.exe??

 
-  Combofix is a general tool that helps the user clean up hard to remove infections.  
-  It is able to remove some common infections and helps a user detect files that general scanners cannot find.
-  It also lists registry keys such as the key keys, the desktop keys, and other areas where malware hide.
-  The tool has some rootkit detectors too, allowing a user to see if a rootkit is present on the PC.
 
HOWEVER, there is very little info published about what all Combofix does and how it does it.  The developers do not want to expose everything the tool is capable of to the cyber criminals.  
 
Quote:
Can you give me some kind of resources or links or any site so that i can myself analyze my hijackthis log and take measures against the trojans.

 
One resource is at www.hijackthis.de.  HOWEVER, it is hazardous to take action via this analyzer unless you have some experience under your belt.  I've done lots and lots of these so I know pretty well what to watch out for and what actions to take.  
 
Your last HJT log looks very good.   Smiley
 
BTW, Kaspersky Internet Security V7.0 is a very good security item to have on your system...fully licensed and updated for your protection.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register