Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 13th, 2008, 11:42am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   agent.100; generic.vundo.b; klone.100		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: agent.100; generic.vundo.b; klone.100  (Read 1616 times)
ponchielee
Newbie
*





   


Posts: 10
agent.100; generic.vundo.b; klone.100
« on: Feb 20th, 2008, 7:45pm »		 Quote Quote  Modify Modify
Got some stuff, here, that I don't know what to do with.  Was getting a pop-up, saying that Windows found spyware, & to "click here" to fix the problem.  "Click here" directed me to a 3rd-party site, which I did not download.
 
Ran spybot, ad-aware, CA EZ antivirus, HJT, and housecall.  They fixed things, but the problem came back.  Housecall said that 2 files were infected--system32\drvbum.dll & system32\winzd32.dll.  I deleted drvbum in safemode, but it would not let me delete winzd32.  This stopped the "Windows found spyware" message, but now when I re-boot I get an error at startup:
Error loading C:\WINDOWS\system32\drvbum.dll  The specified module could not be found
This does not seem to affect the computer's performance, but thought I would ask anyway.
 
Ran TJH & it came up with agent.100, generic.vundo.b, & klone.100.  It fixes them, but when I re-boot, CA EZ antivirus tells me that the following are infected:
C:\WINDOWS\TEMP\winC1.tmp  Win32/SillyDl.DVK
C:\WINDOWS\TEMP\winC1.exe  Win32/SillyDl.DVK
C:\WINDOWS\TEMP\win1B4.tmp  Win32/PidinBot.A
C:\WINDOWS\TEMP\win1B4.exe  Win32/PidinBot.A
C:\WINDOWS\TEMP\gos1BC.tmp  Win32/Crushpy.P
 
Can anyone help meHuh??
 
Thank you!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: agent.100; generic.vundo.b; klone.100
« Reply #1 on: Feb 20th, 2008, 11:59pm »		 Quote Quote  Modify Modify
Welcome to the forum ponchielee  Wink
 
Please do the following.
 
1.  Download and install Hijackthis.exe.  The link below describes how to do this installation.  Do not run HJT at this point.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
2.  Go to the link below and download Combofix.exe and save it on your desktop.
 
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
 
3.  Disable all of your security programs except your software firewall.  Close your browser too.
 
4.  Doubleclick combofix.exe on your desktop and follow the prompts.
 
-  Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.
 
-  Don't use your mouse or keyboard while the fix is running, because that will cause your system to hang.
 
-  When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit.  
 
-  When done, Combofix will close and a log should open, combofix.txt.
 
5.  Post the contents of this Combofix log back here on the forum.
 
6.  Run Hijackthis and post its scan log back here on the forum.
 
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
ponchielee
Newbie
*





   


Posts: 10
Re: agent.100; generic.vundo.b; klone.100
« Reply #2 on: Feb 21st, 2008, 3:55am »		 Quote Quote  Modify Modify
Hi, Siliconman.  Thank you for your help!
 
I was unable to run ComboFix, per your instructions:
ComboFix.exe is not a valid Win32 application
 
I tried just running it from the site, too:
Temporary Internet Files\Content.IE5\T3DIKKBL\ComboFix[1].exe is not a valid Win32 application
 
I went ahead and ran the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:16 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.1660Cool
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\xnetsrvc.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16313
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Xerox_WorkCenter_C2424] C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe 1
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvbum.dll,startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [781b13ea] rundll32.exe "C:\WINDOWS\system32\mofhgcvb.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: USB Sharing.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
 
--
End of file - 9833 bytes
 
My CA EZ Antivirus has popped up with a new infection:
C:\WINDOWS\System32\vtussrr.dll  Win32/Vundo.OS
 
The problem is getting worse--when I go to my homepage, I get a message about a re-direct.  When I click "no," the homepage comes up, but the re-direct opens as a new window.
 
Thank you!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: agent.100; generic.vundo.b; klone.100
« Reply #3 on: Feb 21st, 2008, 4:38am »		 Quote Quote  Modify Modify
Yes, you have some nasty infections on your system.  Please do the following.  (Please print out these instructions so you will have them).
 
1.  Make all your files and folders visible per the instructions in the link below.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Locate the following files and submit them to Mischel Internet Security for analysis.  The link below defines how to submit files.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Files to submit (these are all in your C:\Windows\System32 folder):
 

mofhgcvb.dll
drvbum.dll
winupdate.exe
 
3.  Then go to the link below and download VundoFix.exe.  Save it on your desktop.  
 
http://www.atribune.org/ccount/click.php?id=4
 
4.  Close your browser window.
 
5.  Deactivate all your security programs Except your software firewall.  Close down as many programs as you can that are in your lower right Notification Tray (next to the clock in your Task bar).
 
6.  Double click on VundoFix.exe on your desktop to start it.
 
-  When Vundofix re-opens, click the Scan for Vundo button.
 
-  Once it is done scanning, click the Remove Vundo button.
 
-  You will receive a prompt asking if you want to remove the files.  Click Yes
 
-  Once you click Yes, your desktop will go blank as it starts removing Vundo.
 
-  When completed, it will prompt that it will reboot your computer.  Click OK
 
NOTE:  
It is possible that VundoFix encountered a file that it cannot remove.  In this case, VundoFix will run on Reboot.  Simply follow the above instructions starting with "Click the Scan for Vundo button when VundoFix appears at reboot.  
 
7.  Post back here the log from the Vundofix run and also a new Hijackthis log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
ponchielee
Newbie
*





   


Posts: 10
Re: agent.100; generic.vundo.b; klone.100
« Reply #4 on: Feb 21st, 2008, 10:21am »		 Quote Quote  Modify Modify
I ran the Vundo scan, but did not get a log. Undecided
 
Here is the HJT scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:39 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.1660Cool
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\xnetsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16313
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINDOWS\system32\vtussrr.dll (file missing)
O2 - BHO: (no name) - {23B00A69-DD23-483E-8867-E6CBB89C42A0} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {bbf9cdf7-ebab-7a2a-f634-d97998d71bf8} - {8fb17d89-979d-436f-a2a7-babe7fdc9fbb} - C:\WINDOWS\system32\bfmveffc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Xerox_WorkCenter_C2424] C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe 1
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvbum.dll,startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [781b13ea] rundll32.exe "C:\WINDOWS\system32\mofhgcvb.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: USB Sharing.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
 
--
End of file - 11253 bytes
 
I sent mofhgcvb.dll & winupdate.exe to you (submit@trojanhunter.com).  I tried also sending vtussrr.dll, but it would not let me.  Also, I had deleted drvbum.dll in safemode before I found your site--so, it's gone.
 
Computer seems fine--no messages from CA EZ Antivirus, yet.  When I rebooted, I got 2 error messages:
Error loading C:\WINDOWS\system32\drvbum.dll  The specified module could not be found
Error loading C:\WINDOWS\system32\vtussrr.dll  The specified module could not be found.
 
Am I cured?
 
Thank you!!!!!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: agent.100; generic.vundo.b; klone.100
« Reply #5 on: Feb 21st, 2008, 10:50am »		 Quote Quote  Modify Modify
Okay, thanks for the submissions.  It doesn't look like VundoFix was successful in removing everything that is malicious.  So let's try to brute force kill these critters.
 
1.  Please go to the link below and download and install Killbox.exe
 
http://www.bleepingcomputer.com/files/killbox.php
 
2.  Then go to the link below for a review/explanation of how to use Killbox.
 
http://metallica.geekstogo.com/killboxexplanation.html
 
3.  After you reviewed what Killbox will do, Open Killbox.  It will be in your START>All Programs list.
 
4.  Bullet/select Kill on Reboot
 
5.  Copy the following files exactly as they appear below to your clipboard.  Do this by highlighting them.  Hold down the "ctrl" key on your keyboard and tap the "C" key once.  This will copy them to the clipboard.
 

C:\WINDOWS\system32\mofhgcvb.dll
C:\WINDOWS\system32\winupdate.exe

 
6.  Then click on File in the top menu bar of Killbox and select Paste from Clipboard.  The above two files should now appear in the "Full Path of File to Delete" box.  
 
7.  Press the RED Delete File button on the top right of the Killbox window.  
 
8.  Confirm with YES to allow Killbox to delete the files.
 
9.  Immediately Reboot your computer.
 
10.  Post a new HJT scan log.
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
ponchielee
Newbie
*





   


Posts: 10
Re: agent.100; generic.vundo.b; klone.100
« Reply #6 on: Feb 21st, 2008, 11:41am »		 Quote Quote  Modify Modify
Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:11 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.1660Cool
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\xnetsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16313
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINDOWS\system32\vtussrr.dll (file missing)
O2 - BHO: (no name) - {23B00A69-DD23-483E-8867-E6CBB89C42A0} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {bbf9cdf7-ebab-7a2a-f634-d97998d71bf8} - {8fb17d89-979d-436f-a2a7-babe7fdc9fbb} - C:\WINDOWS\system32\bfmveffc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Xerox_WorkCenter_C2424] C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe 1
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvbum.dll,startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [781b13ea] rundll32.exe "C:\WINDOWS\system32\mofhgcvb.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: USB Sharing.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
 
--
End of file - 11156 bytes
 
I was not able to copy & paste mofhgcvb.dll--and, come to think of it, I didn't even try to just enter it manually.  Undecided
 
2 new errors at startup--in addition to the other 2:
 
Windows cannot find C:\WINDOWS\system32\winupdate.exe
 
and then
 
Could not load or run specified in the registry (winupdate). Make sure file exists or remove reference to it in registry.
 
Thank you--you've been working a long time on this!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: agent.100; generic.vundo.b; klone.100
« Reply #7 on: Feb 21st, 2008, 12:00pm »		 Quote Quote  Modify Modify
Okay, now let's do some more cleanup of things in your HJT log.
 
1.  Run another HJT scan.
 
2.  When the scan is completed, place a check mark next to each of the following items.  BE SURE that these are the only items checked.

F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
 
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINDOWS\system32\vtussrr.dll (file missing)
 
O2 - BHO: (no name) - {23B00A69-DD23-483E-8867-E6CBB89C42A0} - C:\WINDOWS\system32\geebc.dll (file missing)
 
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
 
O2 - BHO: {bbf9cdf7-ebab-7a2a-f634-d97998d71bf8} - {8fb17d89-979d-436f-a2a7-babe7fdc9fbb} - C:\WINDOWS\system32\bfmveffc.dll (file missing)
 
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
 
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvbum.dll,startup
 
O4 - HKLM\..\Run: [781b13ea] rundll32.exe "C:\WINDOWS\system32\mofhgcvb.dll",b
 
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
 
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

 
3.  Close your Browser window.
 
4.  Click on Fix Checked at the lower left of the HiJackthis window.  Confirm that you want HJT to fix these item and let it fix them.
 
5.  Close the HJT window after it is done fixing.
 
6.  Reboot
 
7.  Post another new HJT log so that I can do one final check.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
ponchielee
Newbie
*





   


Posts: 10
Re: agent.100; generic.vundo.b; klone.100
« Reply #8 on: Feb 21st, 2008, 12:23pm »		 Quote Quote  Modify Modify
OK.  I hope you don't mind, but I took a couple of liberties.  I did not fix the two 09 things, because they referred to ACT.  We use this computer for business, and if something happened and I wiped out ACT, I would never hear the end of it from my staff.  I hope that's ok . . . .  If I remember my HJT tutorial correctly, these were ok to leave if you recognized the programs (?)
 
Here's the log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:34 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.1660Cool
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\xnetsrvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16313
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Xerox_WorkCenter_C2424] C:\Program Files\Xerox\WorkCentre C2424\Xc24BgTs.exe 1
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: USB Sharing.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
 
--
End of file - 10157 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: agent.100; generic.vundo.b; klone.100
« Reply #9 on: Feb 21st, 2008, 12:47pm »		 Quote Quote  Modify Modify
Quote:
OK.  I hope you don't mind, but I took a couple of liberties.  I did not fix the two 09 things, because they referred to ACT.

 
No problemo at all  Wink
 
Okay, your new HJT log scans clean.  Please do the following:
 
1.  Your Java applet is way out of date and poses a security risk.
 
Quote:
C:\Program Files\Java\jre1.5.0_06

 
Please go to the link below and update your Java to the latest version.
 
http://www.java.com
 
2.  Once you have Java updated, go to the Control Panel>Add or Remove Programs and remove all of the old versions of Java.  Unfortunately Sun Technology does not automatically uninstall these and the old coding provides security openings for the cybercriminals.
 
3.  Look in your C:\Windows\System32 folder and see if file mofhgcvb.dll is there.  If it is, delete it.  If it will not delete, reboot into SAFE MODE and try to delete it.  
 
4.  And Finally, I recommend that you run a remote scan of your ENTIRE system with Kaspersky Anti-Virus.  The link below is for the remote scanner.
 
http://www.kaspersky.com/virusscanner
 
-  Use Internet Explorer 7 to access the above website.  Kaspersky will need to download/install an ActiveX component to do the scan.  Please allow it to do so.
 
-  Before running the scan, de-activate all your other security programs EXCEPT your software firewall.  
 
-  BE SURE to run a FULL scan of your system.
 
Kaspersky will NOT remove anything it finds, but it will display anything that it detects as malicious.  If anything shows up, post the scan log back here and we'll go from there.  
 
Did you get any of those alerts on reboot after this last HJT cleanup?  
 
How is your system running?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
ponchielee
Newbie
*





   


Posts: 10
Re: agent.100; generic.vundo.b; klone.100
« Reply #10 on: Feb 21st, 2008, 2:26pm »		 Quote Quote  Modify Modify
Alerts on reboot . . . . just those "Windows cannot find" errors that I mentioned before.
 
CA EZ Antivirus has stopped popping up alerts.
 
System seems to be running just fine.   Cheesy
 
Scan found stuff (And are those skulls next to some of the files?  That doesn't seem good!)
 
Thursday, February 21, 2008 2:19:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/02/2008
Kaspersky Anti-Virus database records: 574690
 
 
Scan Settings  
Scan using the following antivirus database extended  
Scan Archives true  
Scan Mail Bases true  
 
Scan Target My Computer  
A:\
C:\
D:\
E:\
F:\
G:\  
 
Scan Statistics  
Total number of scanned objects 89529  
Number of viruses found 7  
Number of infected objects 36  
Number of suspicious objects 0  
Duration of the scan process 00:48:01  
 
Infected Object Name Virus Name Last Action  
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat  Object is locked  skipped  
 
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat  Object is locked  skipped  
 
C:\Documents and Settings\All Users\Application Data\RetroExp\config10.dat  Object is locked  skipped  
 
C:\Documents and Settings\All Users\Application Data\RetroExp\operations_log.utx  Object is locked  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/bin/10.0.370.0/HostOL.dll  Infected: not-a-virus:AdWare.Win32.HotBar.ch  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/bin/10.0.370.0/ZangoSAAX.dll  Infected: not-a-virus:AdWare.Win32.180Solutions.bo  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/bin/10.0.370.0/ZangoSADF.exe  Infected: not-a-virus:AdWare.Win32.180Solutions.bp  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/bin/10.0.370.0/ZangoSAHook.dll  Infected: not-a-virus:AdWare.Win32.180Solutions.bq  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/bin/10.0.370.0/ZangoUnInstaller.exe/stream/da ta0002  Infected: not-a-virus:AdWare.Win32.180Solutions.bj  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/bin/10.0.370.0/ZangoUnInstaller.exe/stream  Infected: not-a-virus:AdWare.Win32.180Solutions.bj  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip/bin/10.0.370.0/ZangoUnInstaller.exe  Infected: not-a-virus:AdWare.Win32.180Solutions.bj  skipped  
 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango.zip  ZIP: infected - 7  skipped  
 
C:\Documents and Settings\Debby\.housecall6.6\Quarantine\drvbum.dll.bac_a04792  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\Documents and Settings\Debby\.housecall6.6\Quarantine\gos144.tmp.bac_a04792  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\Documents and Settings\Debby\.housecall6.6\Quarantine\gos3DB0.tmp.bac_a04792  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\Documents and Settings\Debby\.housecall6.6\Quarantine\winzdn32.dll.bac_a04792  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\Documents and Settings\Debby\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Cookies\index.dat  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\ApplicationHistory\RetroExpress.exe.ef08464a.ini.inuse  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\ApplicationHistory\TransferAgent.exe.91f03f4d.ini.inuse  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\Microsoft\Messenger\onestopdjs@hotmail.com\SharingMetadata\Logs\Dfs r00005.log  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\Microsoft\Messenger\onestopdjs@hotmail.com\SharingMetadata\Working\ database_EA78_1B48_781B_1345\dfsr.db  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\Microsoft\Messenger\onestopdjs@hotmail.com\SharingMetadata\Working\ database_EA78_1B48_781B_1345\fsr.log  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\Microsoft\Messenger\onestopdjs@hotmail.com\SharingMetadata\Working\ database_EA78_1B48_781B_1345\fsrtmp.log  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\Microsoft\Messenger\onestopdjs@hotmail.com\SharingMetadata\Working\ database_EA78_1B48_781B_1345\tmp.edb  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\History\History.IE5\index.dat  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Temp\Perflib_Perfdata_4bc.dat  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Temp\~DFEAAA.tmp  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Temporary Internet Files\Content.IE5\7ONF2CP5\ptch[1]  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Temporary Internet Files\Content.IE5\7S76U5KU\css4[1]  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped  
 
C:\Documents and Settings\Debby\Local Settings\Temporary Internet Files\Content.IE5\T3DIKKBL\hctp[1]  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\Documents and Settings\Debby\NTUSER.DAT  Object is locked  skipped  
 
C:\Documents and Settings\Debby\ntuser.dat.LOG  Object is locked  skipped  
 
C:\Documents and Settings\LocalService\Cookies\index.dat  Object is locked  skipped  
 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped  
 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped  
 
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat  Object is locked  skipped  
 
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped  
 
C:\Documents and Settings\LocalService\NTUSER.DAT  Object is locked  skipped  
 
C:\Documents and Settings\LocalService\ntuser.dat.LOG  Object is locked  skipped  
 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped  
 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped  
 
C:\Documents and Settings\NetworkService\NTUSER.DAT  Object is locked  skipped  
 
C:\Documents and Settings\NetworkService\ntuser.dat.LOG  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG  Object is locked  skipped  
 
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_110.trc  Object is locked  skipped  
 
C:\RECYCLER\S-1-5-21-544241501-3956573104-3912762919-500\Dc1.dll  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped  
 
C:\VundoFix Backups\bfmveffc.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\ddcayaa.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\geebc.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\jkkjjij.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\khfcbbx.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\mofhgcvb.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\pmnmmnm.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\ssqrqno.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\vtussrr.dll.bad  Infected: not-a-virus:AdWare.Win32.Virtumonde.gen  skipped  
 
C:\VundoFix Backups\winzdn32.dll.bad  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Debug\PASSWD.LOG  Object is locked  skipped  
 
C:\WINDOWS\SchedLgU.Txt  Object is locked  skipped  
 
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log  Object is locked  skipped  
 
C:\WINDOWS\Sti_Trace.log  Object is locked  skipped  
 
C:\WINDOWS\system32\CatRoot2\edb.log  Object is locked  skipped  
 
C:\WINDOWS\system32\CatRoot2\tmp.edb  Object is locked  skipped  
 
C:\WINDOWS\system32\config\AppEvent.Evt  Object is locked  skipped  
 
C:\WINDOWS\system32\config\DEFAULT  Object is locked  skipped  
 
C:\WINDOWS\system32\config\default.LOG  Object is locked  skipped  
 
C:\WINDOWS\system32\config\Internet.evt  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SAM  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SAM.LOG  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SecEvent.Evt  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SECURITY  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SECURITY.LOG  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SOFTWARE  Object is locked  skipped  
 
C:\WINDOWS\system32\config\software.LOG  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SysEvent.Evt  Object is locked  skipped  
 
C:\WINDOWS\system32\config\SYSTEM  Object is locked  skipped  
 
C:\WINDOWS\system32\config\system.LOG  Object is locked  skipped  
 
C:\WINDOWS\system32\h323log.txt  Object is locked  skipped  
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR  Object is locked  skipped  
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP  Object is locked  skipped  
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked  skipped  
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP  Object is locked  skipped  
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP  Object is locked  skipped  
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA  Object is locked  skipped  
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked  skipped  
 
C:\WINDOWS\Temp\Perflib_Perfdata_b60.dat  Object is locked  skipped  
 
C:\WINDOWS\Temp\Perflib_Perfdata_c20.dat  Object is locked  skipped  
 
C:\WINDOWS\Temp\win159.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win164.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win169.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win174.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win181.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win197.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win1A2.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win1B9.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win1C4.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\Temp\win6C.exe  Infected: Trojan.Win32.Dialer.yz  skipped  
 
C:\WINDOWS\wiadebug.log  Object is locked  skipped  
 
C:\WINDOWS\wiaservc.log  Object is locked  skipped  
 
C:\WINDOWS\WindowsUpdate.log  Object is locked  skipped  
 
D:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped  
 
G:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped  
 
Scan process completed.  
 
 Undecided
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: agent.100; generic.vundo.b; klone.100
« Reply #11 on: Feb 21st, 2008, 3:34pm »		 Quote Quote  Modify Modify
Okay, we still got work to do.  I was afraid of this, but it's really not as bad as it looks.   Please do the following:
 
1.  Navigate to the Quarantine folder at C:\Documents and Settings\Debby\.housecall6.6\Quarantine.  Open folder Quarantine and delete everything that is in it.  
 
2.  Navigate to the Recovery folder at C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery.  Open folder Recovery and delete everything that is in it.  
 
3. &n