Tech Support Forum - View Single Post - Trojan.Vundo C:\windows\system32\vtstr.dll

Vikesrock8411 · 12-04-2005, 06:27 PM

You definitely did take a step in the wrong direction there. I totally understand your frusteration, but I want you to understand that this isn't anything that we can't deal with. As long as you are willing to follow the instructions posted for you by the staff we are willing to help you. Even if you already did some of the things I am about to ask you to do, now that you have aquired some new malware, I would ask that you do them again.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads(make sure to save these in a permanent location)
Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:

Use this URL to copy into the address bar of the Download script window:

http://downloads.subratam.org/BFUscripts/igetnetfreepod.BFU

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Services
Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Command Service (cmdService)
Double-click on it to open the Properties dialog.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in cmdService & then click on the OK button

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\System32\bho.dll (file missing)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsd96.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\System32\irasvouk.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsu6.dll (file missing)
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Program Files\CMSystem
C:\Program Files\Freeprod Toolbar

C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\System32\irasyncd.exe

Tools
Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program. If prompted to reboot, click No.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC.

Reboot your system in Normal Mode.

Open HijackThis, click Config, then click Misc Tools.
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:

Uninstall List
Ewido Log
Panda Activescan Log
A new Hijackthis! Log

12-04-2005, 06:27 PM	#8 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	You definitely did take a step in the wrong direction there. I totally understand your frusteration, but I want you to understand that this isn't anything that we can't deal with. As long as you are willing to follow the instructions posted for you by the staff we are willing to help you. Even if you already did some of the things I am about to ask you to do, now that you have aquired some new malware, I would ask that you do them again. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip Run the program and click the Web button as shown here: Use this URL to copy into the address bar of the Download script window: http://downloads.subratam.org/BFUscripts/igetnetfreepod.BFU Execute the script by clicking the Execute button. If you have any questions about the use of BFU please read here: http://metallica.geekstogo.com/BFUinstructions.html Services Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Command Service (cmdService) Double-click on it to open the Properties dialog. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in cmdService & then click on the OK button Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\System32\bho.dll (file missing) O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsd96.dll O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\System32\irasvouk.dll (file missing) O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsu6.dll (file missing) O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe *Please remember to close all other windows, including browsers then click Fix checked.* File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\CMSystem C:\Program Files\Freeprod Toolbar C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe C:\WINDOWS\IA\command.exe C:\WINDOWS\System32\irasyncd.exe Tools Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC. Reboot your system in Normal Mode. Open HijackThis, click Config, then click Misc Tools. Click "Open Uninstall Manager" Click "Save List" (generates uninstall_list.txt) Click Save, copy and paste the results in your next post. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include: Uninstall List Ewido Log Panda Activescan Log A new Hijackthis! Log