Trojan Vundo. H (Hijackthis / malwarebytes)

jjssj · #1 3 juni 2009, 01:39

Jeg har kjørt malare anti-malware, men det er ikke å bli kvitt alle virus / minne moduler / registery nøkler
Jeg kjørte kapre dette og fjernet noen. Dll's funnet av malwarebytes men ikke alle gikk.

Malwarebytes' Anti-Malware 1.37
Database versjon: 2216
Windows 5.1.2600 Service Pack 2

02/06/2009 22:04:31
mbam-log-2009-06-02 (22-04-31). txt

Scan type: Quick Scan
Objekter skannet: 89008
Tid brukt: 3 minute (s), 23 sekund (er)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registernøkler Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(Ingen skadelige eks oppdaget)

Memory Modules Infected:
C: \ WINDOWS \ system32 \ dwkljtof.dll (Trojan.Vundo.H) -> Delete on reboot.
C: \ WINDOWS \ system32 \ becbn.dll (Trojan.Agent) -> Delete on reboot.
C: \ WINDOWS \ system32 \ xanyzwy.dll (Trojan.Vundo.H) -> Delete on reboot.

Registernøkler Infected:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Explorer \ Browser Helper Objects \ (936182df-5f7a-4d1e-a86f-a6d0f061e70a) (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ feuyhaok (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT \ CLSID \ (936182df-5f7a-4d1e-a86f-a6d0f061e70a) (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Explorer \ Browser Helper Objects \ (0e8459fd-af07-48f1-8cd1-3884d15eaf47) (Trojan.Vundo.H) -> karantene og slettet.
HKEY_CLASSES_ROOT \ CLSID \ (0e8459fd-af07-48f1-8cd1-3884d15eaf47) (Trojan.Vundo.H) -> karantene og slettet.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Ext \ Stats \ (0e8459fd-af07-48f1-8cd1-3884d15eaf47) (Trojan.Vundo.H) -> karantene og slettet.
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ b mbgzbpm (Trojan.Vundo.H) -> karantene og slettet.
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ b mbgzbpm (Trojan.Vundo.H) -> karantene og slettet.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ tjenester es \ bmbgzbpm (Trojan.Vundo.H) -> karantene og slettet.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Ext \ Stats \ (936182df-5f7a-4d1e-a86f-a6d0f061e70a) (Trojan.Vundo.H) -> karantene og slettet.
HKEY_CLASSES_ROOT \ CLSID \ (10c0b0c0-fc01-473b-8ebb-4376353f96e4) (Trojan.Agent) -> karantene og slettet.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Ext \ Stats \ (10c0b0c0-fc01-473b-8ebb-4376353f96e4) (Trojan.Agent) -> karantene og slettet.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Explorer \ Browser Helper Objects \ (10c0b0c0-fc01-473b-8ebb-4376353f96e4) (Trojan.Agent) -> karantene og slettet.

Registry Values Infected:
(Ingen skadelige eks oppdaget)

Registry Data Items Infected:
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Policies \ System \ DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> karantene og slettet.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Policies \ System \ DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> karantene og slettet.

Folders Infected:
C: \ WINDOWS \ system32 \ append.dll (Trojan.Agent) -> karantene og slettet.
C: \ WINDOWS \ system32 \ xlib254.dll (Trojan.Agent) -> karantene og slettet.

Files Infected:
c: \ WINDOWS \ system32 \ xanyzwy.dll (Trojan.Vundo.H) -> Delete on reboot.
C: \ WINDOWS \ system32 \ dwkljtof.dll (Trojan.Vundo.H) -> Delete on reboot.
C: \ WINDOWS \ system32 \ becbn.dll (Trojan.Agent) -> Delete on reboot.
c: \ WINDOWS \ system32 \ zfmhjbu.dll (Trojan.Vundo.H) -> Delete on reboot.
c: \ WINDOWS \ system32 \ bekbn.dll (Trojan.Agent) -> karantene og slettet.
c: \ WINDOWS \ system32 \ drivers \ jcnfgawt.sys (Rootkit.Agent) -> Delete on reboot.
c: \ WINDOWS \ system32 \ drivers \ sjbxdggg.sys (Rootkit.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan lagret 22:52:36, on 02/06/2009
Plattform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Kjører prosesser:
C: \ windows \ system32 \ smss.exe
C: \ windows \ system32 \ Csrss.exe
C: \ windows \ system32 \ Winlogon.exe
C: \ windows \ system32 \ Services.exe
C: \ windows \ system32 \ Lsass.exe
C: \ windows \ system32 \ Svchost.exe
C: \ windows \ system32 \ Svchost.exe
C: \ windows \ system32 \ Svchost.exe
C: \ windows \ system32 \ Svchost.exe
C: \ windows \ system32 \ Svchost.exe
C: \ windows \ system32 \ Svchost.exe
C: \ Windows \ Explorer.exe
C: \ windows \ system32 \ Spoolsv.exe
C: \ windows \ SOUNDMAN.EXE
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ progra ~ 1 \ Agnitum \ OUTPOS ~ 1 \ op_mon.exe
C: \ windows \ system32 \ carpserv.exe
C: \ progra ~ 1 \ AVG \ AVG8 \ avgtray.exe
C: \ Programfiler \ Java \ jre6 \ bin \ jusched.exe
C: \ windows \ system32 \ Ctfmon.exe
C: \ progra ~ 1 \ Agnitum \ OUTPOS ~ 1 \ acs.exe
C: \ windows \ system32 \ astsrv.exe
C: \ progra ~ 1 \ AVG \ AVG8 \ avgwdsvc.exe
C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programfiler \ Fellesfiler \ Nero \ Nero BackItUp 4 \ NBService.exe
C: \ windows \ system32 \ oodag.exe
C: \ progra ~ 1 \ AVG \ AVG8 \ avgam.exe
C: \ progra ~ 1 \ AVG \ AVG8 \ avgrsx.exe
C: \ progra ~ 1 \ AVG \ AVG8 \ avgnsx.exe
C: \ windows \ system32 \ Svchost.exe
C: \ windows \ system32 \ wscntfy.exe
C: \ windows \ system32 \ Svchost.exe
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ Source Engine \ Ose.exe
C: \ Programfiler \ Fellesfiler \ Mozilla delt \ firefox.exe
C: \ Programfiler \ Mozilla Firefox \ firefox.exe
C: \ Programfiler \ Trend Micro \ HijackThis \ HijackThis.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.virginmedia.com/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://www.tiny.com
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Settings, ProxyOverride = *. local
O2 - BHO: AcroIEHelperStub - (18DF081C-E8AD-4283-A596-FA578C2EBDC3) - C: \ Programfiler \ Fellesfiler \ Adobe \ Acrobat \ ActiveX \ AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - (3CA2F312-6F6E-4B53-A66E-4E65E497C8C0) - C: \ Programfiler \ AVG \ AVG8 \ avgssie.dll
O2 - BHO: Klikk for å ringe BHO - (5C255C8A-E604-49b4-9D64-90988571CECB) - C: \ Programfiler \ Windows Live \ Messenger \ wlchtc.dll
O2 - BHO: Groove GFS Browser Helper - (72853161-30C5-4D22-B7F9-0BBC1D38A37E) - C: \ Programfiler \ Microsoft Office \ Office12 \ GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - (9030D464-4C02-4ABF-8ECC-5164760863C6) - C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ Windows Live \ WindowsLiveLogin.dll
O2 - BHO: (no name) - (936182df-5f7a-4d1e-a86f-a6d0f061e70a) - c: \ windows \ system32 \ xanyzwy.dll
O2 - BHO: Java ™ Plug-in 2 SSV Helper - (DBC80044-A445-435b-BC74-9C25C1C588A9) - C: \ Programfiler \ Java \ jre6 \ bin \ jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - (E7E6F031-17CE-4C07-BC86-EABFE594F69C) - C: \ Programfiler \ Java \ jre6 \ lib \ distribuere \ jqs \ ie \ jqs_plugin.dll
O4 - HKLM \ .. \ Run: [ATIPTA] "C: \ Programfiler \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe"
O4 - HKLM \ .. \ Run: [PinnacleDriverCheck] C: \ WINDOWS \ system32 \ PSDrvCheck.exe
O4 - HKLM \ .. \ Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [InCD] C: \ Programfiler \ Ahead \ InCD \ InCD.exe
O4 - HKLM \ .. \ Run: [ATICCC] "C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe" runtime-Delay
O4 - HKLM \ .. \ Run: [OutpostMonitor] C: \ progra ~ 1 \ Agnitum \ OUTPOS ~ 1 \ op_mon.exe / skuff / noservice
O4 - HKLM \ .. \ Run: [CARPService] carpserv.exe
O4 - HKLM \ .. \ Run: [AVG8_TRAY] C: \ progra ~ 1 \ AVG \ AVG8 \ avgtray.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Programfiler \ Java \ jre6 \ bin \ jusched.exe"
O4 - HKLM \ .. \ RunServices: [RegisterDropHandler] C: \ progra ~ 1 \ TEXTBR ~ 1.0 \ Bin \ REGIST ~ 1.EXE
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ windows \ system32 \ Ctfmon.exe
O4 - HKUS \. DEFAULT \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'Default user')
O8 - Extra sammenheng menyelement: E & ksporter til Microsoft Excel - res: / / c: \ progra ~ 1 \ micros ~ 2 \ Office12 \ EXCEL.EXE/3000
O9 - Extra knappen: Send til OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ progra ~ 1 \ micros ~ 2 \ Office12 \ ONBttnIE.dll
O9 - Extra "Verktøy" MENUITEM: S & end til OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ progra ~ 1 \ micros ~ 2 \ Office12 \ ONBttnIE.dll
O9 - Extra knappen: Outpost Firewall Pro Quick Tune - (44627E97-789B-40d4-B5C2-58BD171129A1) - C: \ Programfiler \ Agnitum \ Outpost Firewall Pro \ ie_bar.dll
O9 - Extra knappen: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ MIC273 ~ 1 \ Office12 \ REFIEBAR.DLL
O9 - Extra knappen: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O9 - Extra "Verktøy" MENUITEM: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL = http://www.tiny.com
O18 - Protocol: grooveLocalGWS - (88FED34C-F0CA-4636-A375-3CB6248B04CD) - C: \ Programfiler \ Microsoft Office \ Office12 \ GrooveSystemServices.dll
O18 - Protocol: linkscanner - (F274614C-63F8-47D5-A4D1-FBDDE494F8D1) - C: \ Programfiler \ AVG \ AVG8 \ avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C: \ windows \ system32 \ avgrsstx.dll
O20 - Winlogon Notify: feuyhaok - C: \ windows \ system32 \ xanyzwy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C: \ Programfiler \ Lavasoft \ Ad-Aware \ aawservice.exe (fil mangler)
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd - C: \ progra ~ 1 \ Agnitum \ OUTPOS ~ 1 \ acs.exe
O23 - Service: Ast Service (astcc) - Nalpeiron Ltd - C: \ windows \ system32 \ astsrv.exe
O23 - Service: ATI Hurtigtast Poller - ATI Technologies Inc. - C: \ windows \ system32 \ Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C: \ WINDOWS \ system32 \ ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C: \ Programfiler \ Fellesfiler \ Autodesk Shared \ Service \ AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C: \ Programfiler \ Fellesfiler \ Autodesk Shared \ Service \ AdskNetSrv.exe
O23 - Service: AVG8 Watchdog (avg8wd) - AVG Technologies CZ, sro - C: \ progra ~ 1 \ AVG \ AVG8 \ avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C: \ windows \
O23 - Service: Bonjour Service - Unknown owner - C: \ Programfiler \ Bonjour \ mDNSResponder.exe (fil mangler)
O23 - Service: EpsonBidirectionalService - Unknown owner - C: \ Programfiler \ Fellesfiler \ EPSON \ EBAPI \ eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C: \ Programfiler \ Fellesfiler \ Macrovision Shared \ FLEXnet Publisher \ FNPLicensingService.exe
O23 - Service: gearsec - Gear Software - C: \ windows \ system32 \ gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C: \ Programfiler \ Fellesfiler \ InstallShield \ Driver \ 11 \ Intel 32 \ IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C: \ Programfiler \ Ahead \ InCD \ InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C: \ Programfiler \ iPod \ bin \ iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C: \ Programfiler \ Java \ jre6 \ bin \ jqs.exe
O23 - Service: License Management Service ESD - element5 - C: \ Programfiler \ Fellesfiler \ element5 Shared \ Service \ Licence Manager ESD.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C: \ Programfiler \ Fellesfiler \ Nero \ Nero BackItUp 4 \ NBService.exe
O23 - Service: O & O Defrag - O & O Software GmbH - C: \ windows \ system32 \ oodag.exe
O23 - Service: PC Tools hjelpesystemer Service (sdauxservice) - PC Tools - C: \ Programfiler \ Spyware Doctor \ pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C: \ Programfiler \ Spyware Doctor \ pctsSvc.exe
O23 - Service: ThreatFire (threatfire) - PC Tools - C: \ Programfiler \ Spyware Doctor \ TFEngine \ TFService.exe
O23 - Service: Automatiske oppdateringer (wuauserv) - Unknown owner - C: \ windows \

--
End of file - 7951 bytes

Hjelp takk, datamaskinen går gal låsing oppgave bestyrer, surfing er en smerte med konstant pop-ups, noen programmer er deaktivert. Jeg tenker på en fullstendig re-installere. Men vil bare at systemet stabil til sikkerhetskopier filer.

**evilfantasy** · #2 3 juni 2009, 10:31

Laste ned DDS av ubåter og lagre den på skrivebordet. Alternative DDS nedlastingskoblingen

Vista-brukere høyreklikk på DDS og velg Kjør som administrator (du mottar en UAC-melding, kan du tillater det)

* XP-brukere Dobbeltklikk på DDS å kjøre den.
* Hvis antivirusprogrammet eller brannmuren forsøker å blokkere DDS kan du tillate den å løpe.
* Når du er ferdig DDS vil åpne to (2) loggene.

1) DDS.txt
2) Attach.txt

* Lagre begge loggene til skrivebordet ditt.
* Vennligst kopier og lim inn hele innholdet på begge loggene i neste svaret.

Merk: DDS vil veilede deg til å legge inn Attach.txt logg som et vedlegg.
Bare legge det slik du vil andre loggen ved å kopiere og lime den inn i svaret.

Lignende Tråder
Tråd	Tråd startet	Forum	Svar	Siste innlegg
Trojan Vundo.H vil ikke gå Borte.	jbrac25	Virus, spionprogrammer og sikkerhet	6	15 mai 2009 13:12
Trenger hjelp ... Kan ikke kvitt TROJAN.VUNDO.H.	sukun	Virus, spionprogrammer og sikkerhet	1	2 mai 2009 16:27
Jeg kan ikke bli kvitt TROJAN.VUNDO.H fra PCen	theprodigycmb	Virus, spionprogrammer og sikkerhet	13	16 mars 2009 16:40
Trenger du hjelp med Trojan.Vundo H!	Nicholas02	Virus, spionprogrammer og sikkerhet	22	22 desember 2008 17:59
Trojan.vundo.h, trojan.agent, adware.mirar + mer! : (	sillyarfer	Virus, spionprogrammer og sikkerhet	1	14 desember 2008 09:59