Status
Not open for further replies.
1 - 6 of 6 Posts

#### bluerain00

·
##### Registered
Joined
·
5 Posts
Discussion Starter
My laptop is infected with the trojan.vundo virus. I tried remove it with Norton removal tool, but it didn't not detected it. Please help!! I downloaded and scanned hijackthis, and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:22 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uci.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsupc.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.uci.edu/proxy_config.pac
R3 - Default URLSearchHook is missing
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\fcyxv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {12F9CCA0-CF5B-11D2-B606-008098809FCA} - http://www.highedmath.aleks.com/aleks/j2re/install_j2re.cab?cache
O20 - Winlogon Notify: fcyxv - C:\WINDOWS\system32\fcyxv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
You have more than just Vundo :4-thatsba

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
• Ebates_MoeMoneyMaker
NewDotNet / NewNet
Virtual Bouncer /VBouncer
Coupons

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

1. Double click on LSPFix.exe to run it.
2. Once running, you will be required to tick the disclaimer - "I know what I'm doing".
3. You'll find a windows with 2 panes.
In the left pane which is labeled 'Keep', select all instances of these files:
• newdotnet.dll & calsp.dll
4. Then click on the arrow pointing to the right, >>.
This will move the entry to the right pane labeled 'Remove'
5. Click the Finish button to complete the fix.
Only entries similar to newdotnet.dll & calsp.dll need to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane & post the filenames to inform me.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Please print these instructions out for use in Safe Mode.

Uninstall these programs

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
At the introductory screen, press <Enter> to proceed.
• C:\WINDOWS\system32\fcyxv.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next you will be asked to type in a second filepath.
At this point please type the following file path (make sure to enter it exactly as below!):
• C:\WINDOWS\system32\vxycf.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

The fix will run then HijackThis will open.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:
• R3 - Default URLSearchHook is missing
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\fcyxv.dll
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: PowerReg SchedulerV2.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O20 - Winlogon Notify: fcyxv - C:\WINDOWS\system32\fcyxv.dll
After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

After rebooting, continue with the instructions below.

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
• C:\Program Files\NewDotNet\
C:\PROGRA~1\VBouncer\
C:\Program Files\Ebates_MoeMoneyMaker\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
• Empty Recycle Bins
• Delete Prefetch files
• Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Then, perform an online scan with Internet Explorer with Panda ActiveScan
1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
Begin the scan by selecting My Computer
• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#### bluerain00

·
##### Registered
Joined
·
5 Posts
Discussion Starter
i can't seem to reboot my computer into safe mode. Once i hightlighted SafeMode option and hit enter, a black screen came on with four safe mode word at each corner. i tried with both "adminstrator" and my account. Plz. Help!!! And for LSP-Fix, these are the files that are stil on the left "Keep" side:

- mswsock.dll
- winrnr.dll
- wshbth.dll
- rsvpsp.dll

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
This piece of malware sometimes does that to Safe Mode. Here's what I want you to do..

Go to Start > Run - type msconfig <Press Enter> (this opens the system configuration utility)
Under the General Tab, select Diagnostic Startup & click OK

After you have rebooted...

Go to Start > Run - type msconfig <Press Enter> (this opens the system configuration utility)
Under the General Tab, select Normal Startup & click OK
DO NOT reboot your computer when prompted.

Run the fix like you were in the Safe Mode & double click on KillVundo.bat

#### bluerain00

·
##### Registered
Joined
·
5 Posts
Discussion Starter
im sorry to bother you again, but i can't open hijackthis. once the fixing process is finished, hijackthis won't open automatically, i was suppose to open it manually but i can't because all the icons and start-up are all gone. Plz. Help.

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
No problem..

Depress these keys on your keyboard to bring up task manager - ctrl + alt + del
Then click the File Menu > New Task (..Run) - type this in..

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

& click Ok

1 - 6 of 6 Posts
Status
Not open for further replies.