Over 1 million tech questions and answers.

Solved: Help with Trojan.Vundo, Trojan.Metajuan, Trojan.Downloader

Q: Solved: Help with Trojan.Vundo, Trojan.Metajuan, Trojan.Downloader

Hmm my computer's in pretty bad shape thanks to these damn trojans

Norton started detecting these trojans 3 days ago, and could only block them.

Everytime I try to access IE, there will be a bunch of popups and advertisements.

I tried scanning with Norton Antivirus + Ad-Aware 2007, but nothing could be found.

After that, I went to Cnet downloads, and got myself Spyware Terminator + A-squared 3, both which managed to scan and detect some of the threats. It cleared some of the files and registry keys, but still couldn't kill off the files such as wvuroli.dll that are used by core processes, such as explorer.exe, etc.

Currently my IE doesn't have any popups, but I'm worried that these trojans will return, and I want them completely out of my system

I've browsed tech support guy forums a bit, and found a thread thats similar to my problem:
http://forums.techguy.org/malware-removal-hijackthis-logs/554392-solved-trojan-vundo.html

Following the instructions from that thread, I downloaded VundoFix 6.77 and ran it about thrice. The first time cleared off a bunch of files, the second time detected none, and then the third scan detected new files again !!!!

Below are the logs for VundoFix and HijackThis, please help !!! thanks

=============
My VundoFix Log
=============

First Run
VundoFix V6.7.7

Checking Java version...

Scan started at 1:29:37 PM 1/31/2008

Listing files found while scanning....

F:\WINDOWS\system32\gjkmp.ini
F:\WINDOWS\system32\gjkmp.ini2
F:\WINDOWS\system32\hdqjkgjy.dll
F:\WINDOWS\system32\pivrkdyx.dll
F:\WINDOWS\system32\pmkjg.dll
F:\WINDOWS\system32\srfesbnu.dll
F:\WINDOWS\system32\yjgkjqdh.ini

Beginning removal...

Attempting to delete F:\WINDOWS\system32\gjkmp.ini
F:\WINDOWS\system32\gjkmp.ini Has been deleted!

Attempting to delete F:\WINDOWS\system32\gjkmp.ini2
F:\WINDOWS\system32\gjkmp.ini2 Has been deleted!

Attempting to delete F:\WINDOWS\system32\hdqjkgjy.dll
F:\WINDOWS\system32\hdqjkgjy.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\pivrkdyx.dll
F:\WINDOWS\system32\pivrkdyx.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\pmkjg.dll
F:\WINDOWS\system32\pmkjg.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\srfesbnu.dll
F:\WINDOWS\system32\srfesbnu.dll Could not be deleted.

Attempting to delete F:\WINDOWS\system32\yjgkjqdh.ini
F:\WINDOWS\system32\yjgkjqdh.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete F:\WINDOWS\system32\srfesbnu.dll
F:\WINDOWS\system32\srfesbnu.dll Has been deleted!

Performing Repairs to the registry.
Done!

Second Run
VundoFix V6.7.7

Checking Java version...

Scan started at 1:50:41 PM 1/31/2008

Listing files found while scanning....

No infected files were found.

Third Run
VundoFix V6.7.7

Checking Java version...

Scan started at 3:16:15 PM 1/31/2008

Listing files found while scanning....

F:\WINDOWS\system32\hjllm.ini
F:\WINDOWS\system32\hjllm.ini2
F:\WINDOWS\system32\mlljh.dll

Beginning removal...

Attempting to delete F:\WINDOWS\system32\hjllm.ini
F:\WINDOWS\system32\hjllm.ini Has been deleted!

Attempting to delete F:\WINDOWS\system32\hjllm.ini2
F:\WINDOWS\system32\hjllm.ini2 Has been deleted!

Attempting to delete F:\WINDOWS\system32\mlljh.dll
F:\WINDOWS\system32\mlljh.dll Has been deleted!

Performing Repairs to the registry.
Done!

=============
My HijackThis Log
=============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:24 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
F:\Program Files\a-squared Free\a2service.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\VMware\VMware Player\hqtray.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
F:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Program Files\PeerGuardian2\pg2.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Utopia\Angel\Angel.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
F:\WINDOWS\system32\vmnat.exe
F:\WINDOWS\system32\vmnetdhcp.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\MSN Messenger\usnsvc.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {415D402F-A6FC-4CA2-927B-2323BAAFB966} - F:\WINDOWS\system32\wvuroli.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9A6C33BE-45B2-418E-917B-204C354EE92E} - F:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {C93C430B-CF5F-4C80-A5A8-AA04F509E730} - F:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] F:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NSWosCheck] F:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\Run: [VMware hqtray] "F:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "F:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [2cc12b02] rundll32.exe "F:\WINDOWS\system32\hdqjkgjy.dll",b
O4 - HKLM\..\Run: [SpywareTerminator] "F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BM2f219129] Rundll32.exe "F:\WINDOWS\system32\srfesbnu.dll",s
O4 - HKCU\..\Run: [PeerGuardian] F:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
O20 - Winlogon Notify: wvuroli - F:\WINDOWS\SYSTEM32\wvuroli.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - F:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - F:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - F:\WINDOWS\system32\vmnat.exe

--
End of file - 12807 bytes

RELEVANCY SCORE 200
Preferred Solution: Solved: Help with Trojan.Vundo, Trojan.Metajuan, Trojan.Downloader

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Solved: Help with Trojan.Vundo, Trojan.Metajuan, Trojan.Downloader

Read other 13 answers
RELEVANCY SCORE 145.2

A couple days I go, I got infected by a trojan.vundo (I think). Now all these pop ups and misleading applications appear randomly, even if i have my pop up blocker on and the windows firewall. My symantec norton anti virus blocked and managed to get rid of it but in the end, the virus, bug, or whatever it is keeps on comming back. And after I scanned my computer, the pop ups still appear (not sure if they are even pop ups since the "advertisement" opens up on another internet explorer browser). I'm beginning to have trouble loading websites and such, even though my internet is working fine; I'm having trouble posting here and loading the page too =\Any help would be appreciated. Thanks.Deckard's System Scanner v20071014.68Run by admin on 2008-04-24 16:58:37Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --61: 2008-04-24 23:59:01 UTC - RP351 - Deckard's System Scanner Restore Point60: 2008-04-24 04:43:44 UTC - RP350 - Last known good configuration59: 2008-04-24 04:43:38 UTC - RP349 - Removed Adobe Photoshop CS258: 2008-04-24 04:43:38 UTC - RP348 - Last known good configuration57: 2008-04-24 04:43:38 UTC - RP347 - Last known good configuration-- First Restore Point -- 1: 2008-04-24 04:43:35 UTC - RP291 - System CheckpointBacked up registry... Read more

A:Infected By Downloader/trojan.metajuan/trojan.vundo

Hi,Please uninstall MyWebSearch via software > add & remove programs.Reboot afterwards.After reboot, * Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Read other 2 answers
RELEVANCY SCORE 145.2

Hello all,

My laptop was hit with a multiple virus infection while using Firefox.
Symantec seemed to have taken care of things at the time but I was still having some problems, and it didn't seem to be able to get rid of TDSS. I disabled system restore and tried to clean the registry manually, but wasn't able to find all the entries listed on the Symantec site. I disabled the TDSS driver via the control panel.
MBAM wouldn't install, so I tried Spybot which found a few other issues. Finally I was able to install MBAM and HJT from a disc, and connected back to the internet again briefly to update both.
I ran CCCleaner then MBAM in safe mode and MBAM seems to have cleaned everything (both MBAM and HJT scans looked ok afterwards, though there are still a few entries in the HJT log that look suspicious to me).
Everything seems to be fine now, and I proceeded to uninstall the old Java updates, got all the latest Windows updates, and then turned system restore on again.
I'm basically looking for some advice on what to do to make sure everything is in fact gone as there are those few HJT entries that look suspicious to me.
Thanks in advance!
DDS (Version 1.1.0) - NTFSx86
Run by mo at 16:50:17.96 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2532 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ====... Read more

A:Multiple Virus Infection: Trojan.Vundo, Trojan.VundoH, Trojan.BHO, Trojan.TDSS, Trojan.Agent, Trojan.Downloader, Malware.Trace...

My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again. This seems like a tech issue and not a malware problem, but lets take a look and see what we find.Sorry for the delay, please do the following...ComboFix Please ownload ComboFix from Here or Here* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License A... Read more

Read other 12 answers
RELEVANCY SCORE 132.4

Hello everyone, recently i've been having problems with the topic trojans. Symantec detects them sometimes but it never gets rid of them. Also, it seems to be getting worse, instead of just annoying pop-ups, now the computer is loading and running slower and when IE is running i get a pop-up error message that says: Microsoft Visual C++ Runtime Library, Buffer Over-run detected and application needs to shut down. Well I did some looking around and found the VundoFix 6.7.7. and tried running it. It detected many .dll's and ini's and deleted most but one just wont get deleted even after reboot called: urqromm.dll so the problems persist. I've seen some other post about hijackthis and combofix, please pardon my ignorane but where can i get these program to post the logs? The names of the trojans are from symantec when it was catching them but now it doesnt even seem to be catching them anymore. Thanks in advance for any help Here's the HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:12:13 PM, on 2/3/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec\Symante... Read more

A:Trojan Problems: Vundo, Metajuan, Downloader

Hello Kritikus and welcome to BleepingComputer!Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Thanks,Johannes

Read other 15 answers
RELEVANCY SCORE 131.2

Hi,

My Symantec was sending messages regarding trojan.vundo, trojan.metajuan and backdoor.trojan. I found some info that lead me to your combofix tutorial, which I run and now the pc seems fine, though, in the tutorial is strongly recommended to post the log. Should I?

Thank you!!
-Cristina.

Read other answers
RELEVANCY SCORE 125.6

About a month ago I noticed my computer was starting to slow down, particularly when using internet explorer. My Husband had also downloaded 'Steam' an online gaming programme and bought Day of Defeat - a completely online game played on servers..... however i dont think this was the problem - however one of the above infections had started to interefere with the platform and engine and now it is unplayable. I was alerted via Norton internet Security that I reapetdly was being infected with 'W32 Tratsinf!' and this was happening every 2-3 minutes, then it would be 'Downloader, Trojan Vundo and Metajuan. I dont know how these all got into my computer but they did despite me have Norton Internet security. I became confused from there....and still am. I have looked at the regisrty keys, where Values had been added etc and - but to be honest deleted a value that was added - System32/Vundo.exe but only went as far as that. i have deleted files that appear to be infected aswell.I was getting pop ups, alerts my system was unstable tempting me to try products to fix the problem and other error messages and i think it.they infected by AV as it has not been picking some infections other programmes have.I have followed your advice and run all the AV, AdAwareprograms, and i must admit my computer has really stabilised from there. could someone please look at the HJT Log to see if i have eradicated the problems, made them worse......Logfile of Trend Micro HijackThis v2.0.2Scan saved a... Read more

A:Help! Trojan Vundo, Trojon Metajuan, W32 Tratsinf!, Virtumonde And Downloader Is Slowly Destroying My Computer.

Hello Michellebro and welcome to BleepingComputer!Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.Thanks,Johannes

Read other 14 answers
RELEVANCY SCORE 125.6

Mod Edit: Log split away from topic here http://www.bleepingcomputer.com/forums/t/144809/infected-by-something-wicked/Deckard system scanner report is below. I was not able to load Kapersky because my IE is too corrupted and I can't get enough space on my hard disk in time before whatever is on my computer partitions off the space. I have cleared about 1 Gig of new space on my computer but the computer still shows that it has less than 100 MB of space on it.Deckard's System Scanner v20071014.68Run by Paul Hanken on 2008-05-05 23:34:54Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Failed to create restore point; disk is full.Backed up registry hives.Performed disk cleanup.System Drive C: has 0.01 GiB (less than 15%) free.-- HijackThis (run as Paul Hanken.exe) ----------------------------------------Unable to find log (file not found); running clone.-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2008-05-05 23:38:01Platform: Windows XP Service Pack 2 (5.01.2600)MSIE: Internet Explorer (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\system32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\BRSVC01A.... Read more

A:Trojan Vundo.EGG, Trojan Retapu.D, Generic.Zeno.E5F12F0C, Adware.Isearch.D, Trojan Downloader.Small.

Hello 425Fool,

Welcome to Bleeping Computer

Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea

Read other 4 answers
RELEVANCY SCORE 125.2

Hi,

I have Windows XP and about a month a go I started receiving frequent pop-ups. I have not been able to stop them with AdAware or Norton Anti-Virus. In addition, Norton repeatedly 'blocks' and 'repairs' two trojans called Vundo and Metajuan. I've downloaded Highjack This and ComboFix. Can anyone help me?
 

Read other answers
RELEVANCY SCORE 124.8

Hello everyone! MY COMPUTER: Windows SP2 fully updatedHP Pavilion a1330nAMD athlon 64 3800+addons: ATi Radeon x1600Pro Creative Soundblaster SB X-FiMY PROBLEM: I have been infected with Trojan.Vundo, Adware.Ezula, and Trojan.Metajuan sometime in the last two weeks. I am not sure how this happened and there are other people here in my house who use this computer so I don't know the exact date of infection. For starters here is an overview of the symptoms: whenever I open up IE an additional unwanted window appears with whatever advertising garbage, sometimes when I am havent opened a new window an unwanted popup will apear, and other times when I am working in an IE window something "deselects" it and tries to popup a new unwanted window (for instance I will be writing something online and my keystrokes will stop appearing on the screen because something selects another window. I am only relating all of this because of the chance that I have some other trojan etc. than what I stated above. Another thing to note is that my system processes have risen from before the infection to after. Also in my startup manager utility list in my TuneUp Utilities 2007 has doubled for some reason I'm not sure why. WHAT I HAVE TRIED: I have turned off my System Restore. I have both Norton Internet Security and Norton AntiBot, I have scanned multiple times with NIS using the updated definitions. The strange thing is that Norton is detecting and blocking these infections but not eradica... Read more

A:Infected With Trojan.vundo, Adware.ezula And Trojan.metajuan

Hi,Start first with this free tool:Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files,
click YESOnce you click yes, your desktop will go blank as it starts removing
Vundo.When completed, it will prompt that it will reboot your computer,
click OK.Please post the contents of C:\vundofix.txt
.................

Next, run also this free tool and post the log it makes as well please.
Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.
[list]When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Read other 16 answers
RELEVANCY SCORE 122.4

picked up these bad boys when i was stupid and launched an .exe that i wasn't too sure of in the first place. anyway, nothing i have is getting rid of them. the following is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 7:48:19 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windo... Read more

A:Solved: trojan.vundo/trojan horse/downloader virus help.

Read other 14 answers
RELEVANCY SCORE 121.2

I have tried eliminating te two trojans that Symantec continues to detect to no avail. Each time it detects the virus, it says it cannot quarantine or delete the file. I've tried running scans in safe mode, but that hasn't helped either. I'm operating on Windows XP Pro. I tried using Malware RemvalBot as well, but don't think that is any good. I have since uninstalled the program as instructed in your "Preparation for the Malware Removal Process". My computer barely seems to function at this point and my desktop is showing an "Active Desktop Recovery" process instead of my normal desktop. Whenever I've tried to shutdown, I get a message that a fatal exception has occurred and the system is being shut down. Finally, I have tried to run the GMER Rootkit Sanner, but each time it gets to a point before I have a chance to begin the scan where it says "GMER.exe is not responding". AS instructed, I skipped that for now and the other steps follow:


DDS (Version 1.1.0) - NTFSx86
Run by Betty Hoffman at 15:30:27.57 on Thu 01/01/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88}... Read more

A:Trojan.Vundo, Trojan.Metajuan and other problems

I forgot...these were the most recent viruses that Symantec was reporting upon scan:

Trojan.Metajuan "bbiyia.dll C:\WINDOWS\system32\

Trojan.Vundo "diguweha.dll" C:\WINDOWS\system32\

Trojan.Vundo "geBrrQhg.dll" C:\WINDOWS\system32\

Read other 19 answers
RELEVANCY SCORE 118

I have been trying to rid my home computer of these virus/trojans, for over a week now. I have run the following scans - Norton 2007, McAfee 2007, Windows Defender, Windows Live One Care, Spybot, Adaware, SUPERAntiSpyware, Bit Defender, FixVundo and VundoFix all in normal and safe mode. As recommended by Norton, I have turned the system restore off. All of these scans have turned up something, which the program has been deleted. However, Norton, Windows Live One Care, Windows Defender, and SUPERAntiSpyware continue to provide notices of the infections, and despite being deleted they reappear!
So I am asking for anyone's help on removing these nuisances. I performed a Hijackthis scan and the results are below. I hope someone can look this over and suggest further steps.
Thank you in advance.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:35:48 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\V... Read more

A:Trojan.Downloader, Adware.Vundo Variant, Trojan.Vundo and Win32/Fotomoto Infections

Anyone have any suggestions? I'm thinking of just backing up my data and reformatting my hard drive but this is my last resort obviously. Please help...
 

Read other 1 answers
RELEVANCY SCORE 116.8

I have tried eliminating the two trojans that Symantec continues to detect to no avail. Each time it detects the virus, it says it cannot quarantine or delete the file. I've tried running a scan in safe mode, but that hasn't helped either. I'm operating on Windows XP Pro. I tried using Malware RemovalBot as well, but don't think that is any good. Any guidance is appreciated.

A:Trojan.Vundo & Trojan.Metajuan

Hello and Welcome.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 116.8

hii have a malware infection that will not go away, i have tried vundofix and run full system scans on norton and avg but to no avail. any help would be greatly appretiated, below is an up to date hijackthis log.thanksabstractLogfile of Trend Micro HijackThis v2.0.2Scan saved at 20:37:29, on 14/02/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeE:\3Dstudiomax9\mentalray\satellite\raysat_3dsmax9_32server.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\svchost.exeC... Read more

A:Trojan,vundo - Trojan,metajuan

Hello abstract,We will run ComboFix. You need to disable your Symantec/Norton Antivirus before running ComboFix, as it will prevent it from running. To disable Norton Antivirus: Please navigate to the system tray on the bottom right hand corner and look for a sign.right-click it -> chose "Disable Auto-Protect."select a duration of 5 hours (this assures no interference with the cleanup of your pc)click "Ok."a popup will warn that protection will now be disabled and the sign will now look like this: You succesfully disabled the Norton Antivirus Guard. Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT Post the ComboFix log.

Read other 2 answers
RELEVANCY SCORE 116.8

Yesterday while I was running a full scan on my computer using Symantec, it detected Trojan.Vundo (as veseyusi.dll), Trojan.Metajuan (as hosozaze.dll.tmp), and another Trojan (as vebuzahu.dll). I've been getting sporadic popups while using Firefox, and even Internet Explorer popups even though I don't use that web browser at all. Also, I can't connect to a lot of sites that I used to be able to connect to before (ex: Xanga, Facebook, Google, etc.) and this site is only showing as white/Times New Roman, when I know that it's actually more elaborate than that. The HJT log in this post is not my latest log, btw. I did another scan (posted below) because I ran some malware-removal programs, but I don't think they worked...Hope this didn't make things worse. My HijackThis log is listed below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:46 PM, on 1/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\sttray.e... Read more

A:Help with Trojan.Vundo, Trojan.Metajuan

Bump.

My computer's speed and performance has dipped greatly just. I ran Spybot and a-squared Antimalware, but I don't think they really helped. There was a bunch of registries and other things I don't understand and could neither delete/quarantine. I don't know if you guys want another HJT log, but it's attached. Sorry if I'm breaking any protocols, I'm just really confused and afraid to turn my computer off in case it doesn't start again...

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:01 AM, on 1/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Pro... Read more

Read other 1 answers
RELEVANCY SCORE 116.8

The pc I am working on isn't mine so I will give you as much info as I know. It started with multiple pop-ups when using IE. I installed Firefox and the amount of pop-ups decreased but didn't stop. I updated Norton (360) and it identified a trojan but couldn't completely delete/remove it from the system. Also, any time there is a system restart, a program called xpupdate.exe tries to initialize. Luckily no one actually continued and just exited out of the window. Norton has cleared out a few of these issues the last month but they either keep coming back or don't completely get removed.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:14:12 PM, on 2/26/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOW... Read more

A:Trojan.vundo / Trojan.metajuan

Hello BlackLion2837, The pc I am working on isn't mine so I will give you as much info as I knowJust wondering why doesnt the user of the computer post his own log rather than going thru you? That way, it is far less confusing for everyone. We will run ComboFix. You need to disable your Symantec/Norton Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running. To disable Norton Antivirus: Please navigate to the system tray on the bottom right hand corner and look for a sign.right-click it -> chose "Disable Auto-Protect."select a duration of 5 hours (this assures no interference with the cleanup of your pc)click "Ok."a popup will warn that protection will now be disabled and the sign will now look like this: You succesfully disabled the Norton Antivirus Guard.To disable Spybot's Teatimer: Run Spybot-S&D Go to the Mode menu, and make sure "Advanced Mode" is selected On the left hand side, choose Tools -> Resident Uncheck "Resident TeaTimer" and OK any promptsYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please visit this webpage for instructions for downloading and running ComboFix: http://www.... Read more

Read other 7 answers
RELEVANCY SCORE 113.6

WOW! I need help badly! I can't get rid of these nasties!!
I tried to post this a couple of minutes ago, but I'm a senior and not too familiar with forums. If this was just posted, please forgive me for the duplication.

ComboScan v20070221.16 run by Jim on 2007-02-23 at 07:57:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jim.exe) --------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:57:42 AM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
... Read more

A:Can't eliminate nasties! Trojan'VUNDO';Trojan'DOWNLOADER.ZLOB.FC;Worm'W32.SPYBOT';++

Hello scroller and welcome to TSF,

You posted this just fine.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Let's go after the main, active infection first, then we'll take care of the rest in the next round.

Please download and save VundoFix to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to your forum thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


--------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool. Select opt... Read more

Read other 19 answers
RELEVANCY SCORE 113.6

I have run MBAM and removed most of the infection from Trojan.Vundo and Trojan.DownloaderI thought I had removed all of the infection but I am still seeing symptoms. When I query "oral surgery" from Google, I am directed to www.nichepass.com.I also ran the EsetOnlineScanner and removed Cimag trojan.Below is my ComboFix log and HJT log.COMBOFIX Log:ComboFix 09-01-13.04 - XXXX 2009-01-14 22:18:43.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.2047.1509 [GMT -5:00]Running from: c:\documents and settings\XXXX\Desktop\ComboFix.exeAV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 ))))))))))))))))))))))))))))))).2009-01-13 23:27 . 2009-01-14 00:56 <DIR> d-------- c:\program files\EsetOnlineScanner2009-01-12 01:13 . 2009-01-12 01:13 <DIR> d-------- c:\documents and settings\XXXX\Application Data\Malwarebytes2009-01-12 01:13 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-01-12 01:12 . 2009-01-14 20:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-12 01:12 . 2009-01-12 01:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-12 01:12 . 2009-01-14 16:11 38,496 --a--... Read more

A:Trojan.Vundo or Trojan.Downloader directs user to www.nichepass.com website

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scans:Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mba... Read more

Read other 2 answers
RELEVANCY SCORE 113.6

I've spent the last week or so trying to get all these (Trojan.Vundo, Trojan.Nebular, Adware.Purityscan, Infostealer.Ldpinch, Downloader) off my computer. I should tell you that I know next to nothing when it comes to computers and I'm terrible in a crisis situation, but honestly I think I've tried just about everything from the Symantec website.So today I decided to try it here at BleepingComputer.com. So I followed everything in the Preparation Guide for the site. Rebooted...and Symatec Auto-protect popped up to warn about Tojan.Vundo, Trojan.Nebular and Downloader. I ran VundoFix.exe. Deleted all that was to be deleted. Restarted. Ran VundoFix.exe until it said it was clean. Then the Auto-Protect pops up to say that it detected Downloader. I turned off my Wireless Internet Connection. (By the way, the Firewall baffles me. I don't know what to say no to and what to say yes to). Ran Spybot, Ad-Aware and deleted everything they found. Ran Stinger until it was clean (twice). Turned back on my Wireless Connection to log on to this website. Opened Firefox. MSN and Yahoo messenger opens (See, I'm about 70% sure that it's IE that's the catalyst. If I just stick to Firefox everything is fine for a good while) and the Auto-Protect starts popping up to warn about Downloader, every five seconds (far more than it has been doing for the past week, but it's just that one and not the 'trojans'). I restarted the comp again (everything calm now), did the HijackThis and here I am! If I m... Read more

A:Infected With: Trojan.vundo, Trojan.nebular, Adware.purityscan, Infostealer.ldpinch, Downloader

Welcome to the BleepingComputer HijackThis Logs and Analysis forum AngelSpirit My name is Richie and i'll be helping you to fix your problems.Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Also post a new Hijackthis log please.

Read other 13 answers
RELEVANCY SCORE 113.2

I have had my anti-virus(Avast) continuiously popup saying i have a trojan. I delete it and then run XoftSpy SE it also detects vundo and winfixer and downloader- New Juan/VM. I have also ran SuperanitSpyware. It also tries to remove it all to find out it is still on there. I have also ran Stinger, it found nothing. I am running Windows XP. Also when i do this, there are 2 others who also have different user names on it, do i need to access each user and repeat the process for each user? Sorry not sure of these things. I have also experienced continous popups wanting me to download spyware antiviruses, and to try and get rid of these are a real pain because they just keep popping up. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:01:12 PM, on 11/4/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC: ... Read more

A:Infected With Trojan Winfixer,trojan Downloader-new Juan/vm, And Vundo

Hi,* Download ComboFix from here. **Save it to your desktop**In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.* Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt. Post the contents of this log in your next reply together with a new hijackthislog.Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Read other 7 answers
RELEVANCY SCORE 113.2

Okay, for the past few days I've been having issues with these viruses. I have seen posts here before asking about how to get rid of the same things but since I have those 3 I don't know if there is a better way to do this.

I keep getting random pop ups. I tried downloading VundoFix but it keeps coming back of course. I ran Spybot Search & destroy and the same thing happens.

The Anti-Virus I'm using is Norton AntiVirus Corporate Edition Full version 7.60.926 if thats even necessary. It is up to date and the description it gives me for each one is..

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1\valera[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:37:08 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\CHER4DUR\lkjh[1]
Location: Quarantine
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Sep 19 23:37:10 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\Documents and Settings\s... Read more

A:Virus issues, Downloader, Trojan.Vundo, Trojan Horse

oh god..okay i should probably mention that right now, my antivirus notification is at 89 notifications and counting the same message over

"Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\byxxutr.dll
Location: C:\WINDOWS\system32
Computer: STARRSCOMPUTER
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thu Sep 20 00:15:34 2007"

by the time im done with this message its up to 99 notifications total and still counting.
103 now

im trying to delete it but it says the file is busy and im trying to disable anti virus but i cant figure out how
 

Read other 3 answers
RELEVANCY SCORE 110.8

I have been having repeated/reoccurring infections of Adware. Vundo Variant, Adware.Vundo Variant / Small-A, Adware. eZula, Trojan. Downloader-NewJuan/VM, Trojan. Downloader-Gen/DDC., and Adware. Tracking Cookie. The infection originally started when trying to fix my son's computer which was infected mainly with a Trojan Vundo (can't remember exact name). I download fixes (programs) to my laptop computer and then transferred them to his computer since it was offline. I apparently downloaded/ran something that immediately infected my computer. Trojan Vundo was immediately picked up by McAfee, and supposedly removed.My laptop is protected by McAfee Security Center (always updated and running). I am using Windows XP (always updated). I use IE (always updated/latest version).I have used Ad-Aware 2007, Spybot S&D, SUPERAntiSpyware, and others I can't remember in attempts to remove. I have also used other Anti-virus programs, Advast!, etc. since I was told that different programs pick up different infections. I have also followed many links and suggestions from this and other sites to remove the problems. I have also used SmitFraudFix and RogueFix , which have picked up problems, which were then removed. I have run all the programs in both normal and safe mode.When I run the various programs, it will pick up the infections and I go through the process of removing them. The computer seems to work great w/o any problems until I get on the internet and then the popups, redire... Read more

A:Adware. Vundo Variant, Vundo Variant / Small-a, Ezula; Trojan. Downloader-newjuan/vm, Trojan. Downloader-gen/ddc, Adware. Track...

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Using My Computer, navigate to where you have HijackThis saved.Right-click on the HijackThis.exe file. Select "Rename", call it fluffybunny and press enter.Use fluffybunny.exe from now on.Please download VundoFix to your Desktop.Double-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt in your next reply. Note: It is possible that VundoFix encountered a file it could not remove. VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.Please include VundoFix.txt and a new HijackThis log in your next reply.Thanks,Charles

Read other 10 answers
RELEVANCY SCORE 110

Hi,Over the last few months I have come across a number of problems regarding trojan's vundo metajuan. After identifying vundo with Norton and Spybot and removing it sevral times I found FixVundo which apprently resolved the problem. However, i still seem to have the same problems causing my computer to run slowly and produce a number of pop-ups whilst using IE. Here is my HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:20:26, on 09/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program ... Read more

A:Trojan Vundo & Metajuan

Resolved With VundoFix

Read other 2 answers
RELEVANCY SCORE 110

naturally, i need help. Norton is reporting finding Vundo & Metajuan. it quarantines them, but i keep getting pop ups. also the system is running really slow. i tried to follow the instructions on "http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/" ; running Adware 2007 , but it found 400 + problem and stated it could not fix it with the trial version : ( , so i stopped there.
i have attached the 'hijack this log'. thanks in advanced for your help !

joe

A:Trojan Vundo & Metajuan

Hello joe , running Adware 2007 , but it found 400 + problem and stated it could not fix it with the trial version Are you sure you downloaded and ran Ad-Aware 2007 Free ? It is free, not a trail version and will remove malware.http://www.bleepingcomputer.com/startups/A....exe-21299.htmlRogue anti-spyware program that displays false results and then states you need to pay for the software in order to remove them. I see Ad-ware Pro in your log. It is on the List of rogue suspect antispyware products http://www.spywarewarrior.com/rogue_anti-spyware.htm Please run Adaware 2007 Free, then post a fresh Hijackthis log. Please do not attach it as that makes it hard to read.

Read other 2 answers
RELEVANCY SCORE 110

Hi,

I did a Nortan scan and It found these 3 but can't quaranteen them or clean them. I've seen many people here do something with a Hijack this or something. This is my first time here so please help me get these off my system.

A:Trojan.vundo, Downloader And Trojan Hours Help

Do you have Norton scan full version?

Read other 23 answers
RELEVANCY SCORE 108.8

Hi, I need help removing many Vundo and Trojan.metajuan threats. Symantec is on overdrive. When I try to run Antispyware and clean .. I get the blue screen o'death. Please help stop the madness. Not that it matters but my 8 year old said her friend checked her gmail (huh, what?) account today on the PC so I don't know if she maybe opened something to start this mess.

Thanks for your anticipated help (as you've saved me before).

A:Trojan.Metajuan and Vundo -- Galore

Hi let's run MBam and get a log.Next run ATF:Please download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".Follow with MBAM:Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.alternate download link 1alternate download link 2If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is foun... Read more

Read other 9 answers
RELEVANCY SCORE 108.8

I've been having trouble removing the Vundo trojan for the last month or so. It hasn't been critically important as it really hasn't caused much damage from what I can tell. Seems to be contained but still gives popups to my vestigial IE, as well when i login to Windows it get the notice saying something about how "epxtsas.dll" could not be found or something similar. Norton continually finds threats, "fixes" them, and I move on. But it never seems to totally go away. Here is my Hijackthis log. Thanks in advance:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:17 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSr... Read more

A:Trojan.Vundo/Metajuan infection

Hi parkerfutbol3

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

For Windows 2000, you will need your Windows 2000 installation CD.

Follow the instructions here:

http://support.microsoft.com/kb/216417

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

=================

In your ne... Read more

Read other 9 answers
RELEVANCY SCORE 107.6

Hi,

I've been plagued with the Trojan Vundo virus about 7 months ago. I had an IT professional remove it (or so I thought). For the past 6 months, it's been showing up in my antivirus scan (Symantec) as unremovable but quarantined. This would happen every two months. Recently, I've been experiencing major popups and bogus antivirus scans and a painfully slow computer. I run Spybot and Ad-Aware, and only tracking cookies are found. It disabled my Windows Automatic Updates. I downloaded MalwareBytes, and it found 56 occurences (files, registry values, registry keys and modules) of Vundo and Metajuan. Got Automatic updates back up an running, ran MalwareBytes again and nothing found. I still have a suspicion that I'm not totally free of these Trojans. Can some one confirm with the following log? MUCH, MUCH, MUCH Appreciated!

DDS (Ver_09-02-01.01) - NTFSx86
Run by Rob at 12:16:30.70 on Sat 02/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.301 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\cc... Read more

A:Trouble with Trojan Vundo H./Metajuan - Am I clean

Hello cuttlefish,

Sorry for the delay.

If you still need help, then update and run Malwarebytes and post the log.

Read other 2 answers
RELEVANCY SCORE 107.6

Hi,

I need help with some nasty trojans and adware programs. I found out from norton that I am infected with trojans vundo, metajuan, adclicker. Also Spysheriff showed up in a norton scan too. I am running windows xp. Popups have been appearing and my desktop keeps disappearing.

Here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:22:44 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS... Read more

A:Trojan Vundo, Metajuan, Adclicker infections! Help Please

Welcome to TSG

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 

Read other 1 answers
RELEVANCY SCORE 107.6

Hello,I keep getting warnings from Symantec that these trojans are on my computer:Trojan.VundoTrojan.AdclickerTrojan.FakeavalertTrojan.MetajuanIt happed rather suddenly, and I have attempted the removal via the registry as advised on the Symantec website, however, none of the files recommended for removal seem to exist. I have also run two Vundo fixes and neither have worked. Here is my HJT report:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:46:34 AM, on 12/6/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Java\jre1.5.0_10\bin\jusched.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1... Read more

A:Keep Getting Trojan.adclicker/fakeavalert/vundo/metajuan

Welcome to the BleepingComputer HijackThis Logs and Analysis forum stolenfromMy name is Richie and i'll be helping you to fix your problems.Please move HijackThis to a permanent folder on the hard drive such as C:\HJT. Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.If you run Hijackthis from the desktop, the files it removes will not be backed up properly.How to create a new folder named HJT1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:2. From the 'File' menu choose 'New'.3. From the 'New' menu choose 'Folder'.4. Type the folder name: HJT5. Then press Enter.If you need help,follow the info in the link below:http://russelltexas.com/malware/createhjtfolder.htmIf you have previously downloaded ComboFix,please delete that version now.WarningYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,not for private use. Using this tool incorrectly could lead to your system becoming unusable.Now download Combofix and save to your desktop:Note It is important that it is saved directly to your desktop Close any open browsers.Disconnect from the Internet. Double click on combofix.exe and follow ... Read more

Read other 1 answers
RELEVANCY SCORE 107.6

HI,I am new to this forum. It seems like this is the place to be if you have the problem I have. Running XP Professional 5.1(Build2600,XPSP-SP3_gdr.C080814-1236 :service pack3) on an HP xw4300 workstation. Symantec antivirus has detected and cleaned metajuan and vundo trojans however rundll32.exe fails during 'deletion'. Ads continue to pop-up and explorer 'freezes' for 5-10 secs every so often. I ran hijackthis and the log file is below: Thank you..thank you Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:40:41 PM, on 2/11/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Java\jre6... Read more

A:Trojan.metajuan & vundo malware found

Hi,Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts. * Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix in your next reply.Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Plea... Read more

Read other 6 answers
RELEVANCY SCORE 106.8

I have been clearing a computer from numerous infections. I uninstalled the outdated (since 2006) McAfee AV. I have installed Microsoft Security Essentials, MBAM, and SuperAntiSpyware. I used this combination as well as several online scanners to remove over 150 infections. Every time I run a scan with SAS, the log comes back with the following infections:Trojan.Dropper/SVCHost-FakeC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SVCHOST.EXEC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SVCHOST.EXETrojan.Agent/Gen-FakeAlertC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXEC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXEMicrosoft Security Essentials pops up during the scan with the following infection:Trojan Downloader: Win32/Unruy.D C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXE I created a new restore point and deleted all previous points, yet these infections still remain. I was receiving help from another moderator who had me try several things before directing me here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/318510/cannot-remove-trojan/ ~ OB I am posting the DDS log, GMER log, and attaching the attach.txt file. Thank you in advance for any and all help you can provide. DDS (Ver_10-03-17.01) - NTFSx86 Run by Phillips at 14:21:21.10 on Tue 05/25/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.796 [GMT -4:00]AV: Microsoft Security Essentials *... Read more

A:Infected with: Trojan.Dropper/SVCHost-Fake,Trojan.Agent/Gen-FakeAlert, & Trojan Downloader: Win32/Unruy.D.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 19 answers
RELEVANCY SCORE 106.8

Noticed this morning that Microsoft Security Essentials real-time protection was turned off and that I could not get it to turn back on. Also could not get windows update to run. Went to Services and tried disabling and then enabling windows installer. Also tried uninstalling and reinstalling MSE, but still the same problem.

Next ran MBAM full scan and found the first Rootkit.0Access; Exploit.Drop.GS; Trojan.Agent; Trojan.Downloader. Clicked remove selected and let it reboot. MBAM log created below. Ran MBAM (quick scan this time) again and found Trojan.Lameshield.124. About to hit "remove selected" and reboot. Will post log after reboot.

I have backup drives that I use (2.5" USB drives). Should I scan those as well (at same time)? Thank you for any help!!!

MBAM log attached. Ran DDS but didn't see any option to save the log. Will figure that out and post after reboot. EDIT: rebooted, and reran DDS. The program ran, but then shut down without allowing me to save a log. Any ideas to get more information about my issue?

I run Windows Vista 32-bit. Dell Inspiron E1505 (5 years old). I run MSE and windows firewall (firewall still active as far as I can tell). Removed other malware before reinstalling MSE and followed procedures on microsoft articles about reinstalling MSE.
 mbam-log-2012-12-29 (15-25-09).txt   5.9KB
  3 downloads

 mbam-log-2012-12-29 (18-25-47).txt   2.05KB
&nbs... Read more

A:MBAM - Rootkit.0Access; Exploit.Drop.GS; Trojan.Agent; Trojan.Downloader; Trojan.Lameshield.124

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days.

Hello there, iseeker I'm Conspire, I'll be glad to help you with your computer problems.Please observe these rules while we work:Read the entire procedureIt is important to perform ALL actions in sequence.If you don't know, stop and ask! Don't keep going on.Please reply to this thread. Do not start a new topic.Stick with me till you're given the all clear.Remember, absence of symptoms does not mean the infection is all gone.Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

Read other 16 answers
RELEVANCY SCORE 106.4

Hi,

Can you help me? I have this viruses on my computer Trojan.Metajuan & Adware.Vundo Variant/SmallA. Everytime Norton detects it and ask me to reboot my computer but after that it is still on my computer... my IE just pop-up all of a sudden and some download will ask me to download the file... now my computer booth real slow and sometimes it hungs when I am working on. please advice.

Thank you,

ajd1682


This is my HJT file:
Logfile of HijackThis v1.99.1
Scan saved at 10:56:52 AM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\... Read more

Read other answers
RELEVANCY SCORE 106.4

I got two different names for a trojan yesterday and today, and after completely running your ?5 steps before posting a log? I am finding no trojan at all! I know this sounds like a good thing, but I'd like some explanation if possible. I am running WIndows XP Home.

Yesterday WebRoot SpySweeper found trojan-backdoor-progdav, which I eliminated on 2-17-07 by using TetonBob?s excellent instructions. Today I re-used those instructions, but the target files were not found, so I ran SpySweeper again ? and this time it found a different problem: trojan-downloader-ruin.

So I used POADB?s instructions (provided to jack5000 on 4-25-06) for removing trojan-downloader-ruin: downloaed CleanUp!, Ewido with updated database, and FixWareout; ran FixWareout online; then ran HiJackThis offline in safe mode. HJT didn?t list any of the items that jack5000 was told to delete. The file to manually delete (C:\WINDOWS\\System32\dmeue.exe) also was NOT present. Then I ran my first Panda scan.

Finding none of the target files, I went to TechSupportForum?s ?5 steps before posting a log? (now realize I should?ve done first.) Took ages, but the only things found were 1 malware program (Viewpoint Media Player, which I removed in Step 1), & 7 tracking cookies (which I quarantined using Ad-Aware SE in Step 2). In Step 4 no service packs were missing ? only upgraded IE (which I never use ? I?m a Firefox user) to IE 7.

After all of this, I decided to run SpySweeper again, and thi... Read more

A:Trojan change from trojan-backdoor-progdav to trojan-downloader-ruin, no target files

Welcome organicbarb

Are there any current spyware symtoms ?

Your logs look fine
You can delete
C:\install.dat
C:\dnsbak.reg
C:\fixwareout
fixwareout.exe and combofix,exe

You should update java, afterwards this old version should be uninstalled.
J2SE Runtime Environment 5.0 Update 2

Read other 1 answers
RELEVANCY SCORE 106.4

It started on or about July 22. First we had popups circumventing our popup blocker. Then I noticed that there was an active connection listed in our firewall connection list that was called "??ool32\??crosoft.Our server had been down for almost a week because of an electrical storm, and we got a new modem with the fix from the broadband carrier. Our sercurity system may also have been down at the same time, but when we did a scan after getting our internet back, there was nothing found. After doing all of the steps recommended before doing the hijack this scan, we were told that we had all of the problems listed in the title of this post, and the House Doctor scan also said that there was an infection which couldn't be quarantined located in D:\SYSTEM VOLUME INFORMATION\_RESTORE{B9823275-D858-...\A0015881.DLL. The last 3 scans done using the same suggested programs have come back clean. During the last week the computer has begun to freeze and move very slowly. The firewall has also come up with warnings that ??ool32 has been attempting to connect with the internet, but has been blocked...so it is obviously still there. My Hijackthis logfile follows:

Logfile of HijackThis v1.99.1
Scan saved at 8:13:36 PM, on 04/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32&#... Read more

A:W32/backdoor.kzk, Trojan.downloader.purityscan, Java.trojan.exploit.bytverify, Trojan.clicker.vb.dw

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download Ewido Anti-spyware and save that file to your desktop.This is a 30 day trial of the programOnce you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.Once the setup is complete you will need run ewido and update the definition files.On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.Once in the Settings screen click on "Recommended actions" and then select "Quarantine".Under "Reports"Select "Automatically generate report after every scan"Un-Select "Only if threats were found"Close Ewido anti-spyware. Do not run a scan just yet. We will shortly.Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Clean out your Temporary Internet filesClose Internet Explorer and close any instances of Windows Explorer.Click Start -> Control Panel and then double-click Internet Options.On the General tab, click Delete Files under Tem... Read more

Read other 10 answers
RELEVANCY SCORE 106

hi,

I recently got a downloader.trojan and a vundo.trojan on my computer and i failed in every way to delete it, i managed to deleted vundo with VundoFix but the downloader.trojan keeps downloading it back again, i guess.

i hope someone can help me with the removal of the virusses.

here is a Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:17, on 1-8-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTO... Read more

A:downloader.trojan + Vundo.trojan

If you have vundofix, remove it and get the current version

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt Even if it does not find anything.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish its thing, sometimes it can take multiple passes
====================
Download Superantispyware (SAS)

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click th... Read more

Read other 1 answers
RELEVANCY SCORE 106

Hi im having problems with 2 viruses or maybe even more, anyway norton keeps on poping up saying that I have a downloader trojan and a trojan.vundo and that it has either resolved the issue or deleted it, but after a while the same message pops up. other problems I am having include pop ups and slow internet speed, I have used norton, AVG, Ad-Aware and Spybot to try to remove them but they still seem to come back. I would be very gratefull if someone could help me.Here is the Log fileLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:56:57, on 02/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOW... Read more

A:Downloader Trojan & Trojan.vundo

Hi, Wellcome to Bleeping Computer Forums!Please take note of the following:I will be handling your log and helping you, please do not make any system changes yet. The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.The fixes are specific to your problem and should only be used for this issue on this machineIf there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.Please reply to this thread. Do not start a new topic.Please give me some time to look over your log and I will get back to you as soon as possible.

Read other 11 answers
RELEVANCY SCORE 105.6

I followed the instructions on the hijack this prep and below is the file. I am very concerned that I can't seem to get rid of some unusual files in my msconfig startup and running processes. Unidentified items in msconfig. startup are Zeno is under C:\WINDOWS\system 32\pwinqsap.exe CORN001, Z_Start C:\WINDOWS\system32\dwdsregt.exe CORN001, Then under SOFTWARE\Microsoft\Windows\CurrentVersion\Run are : 9339047 C:\PROGRA~\9339047\9339047.exe; sd "C:\PROGRA~1\AUTOST~1\sd.exe" --checkOnly; mhnn "C:\Program Files\Obla\mhnn.exe" -vt ndrv The mhnn is also in the task manager as a running process. I cannot find any of these listed in windows explorer or my registry. Logfile of HijackThis v1.99.1Scan saved at 6:35:30 PM, on 1/4/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared... Read more

A:Backdoor.dsnx, Hacktool, Trojan.cmapp, Download Trojan, Trojan.downloader.gen,

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis Log

Read other 3 answers
RELEVANCY SCORE 105.6

I have gotten Trojan.Ertfor ,Trojan.Zlob.H ,Trojan.Downloader ,and Malware.Trace and I just cant seem to get rid of these Trojans I have ran Malwarebytes'Anti-Malware program(did not get rid of these,and came back) I also did a manual deletion of these Trojans(They came back and didn't stay deleted) I will also add the Malwarebytes'Anti-Malware program Log of these Trojans. Can i get help on what to do to get rid of these annoying Trojans?
Here is the Malawarebytes'Anti-malware Log:

Malwarebytes' Anti-Malware 1.38
Database version: 2335
Windows 5.1.2600 Service Pack 3

6/25/2009 4:33:11 PM
mbam-log-2009-06-25 (16-33-07).txt

Scan type: Quick Scan
Objects scanned: 104801
Time elapsed: 9 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sdjee3inf.dll (Trojan.Ertfor) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Zlob.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion ... Read more

A:Trojan.Ertfor, Trojan.Zlob.H, Trojan.Downloader, Malware.Trace, OhMY!

Hello and welcome.. Let's do 2 things next,I think we can clear this up.Run part 1 of S!Ri's SmitfraudFixPlease download SmitfraudFixDouble-click SmitfraudFix.exeSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htmYou have a good amount of files here. We should do a full scan.....Rerun MBAM like this:Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select FULL scan and scan.After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Read other 7 answers
RELEVANCY SCORE 104.8

The problem has been going on for a week now. Norton Anti-Virus alert continually kicks up telling about removal of vundo trojan horse and IT'S INABILITY TO ACCESS/FIX/QUARANTINE DOWNLOADER. It appear downloader has infected windows registary and Internet explorer (IEXPLORE.EXE) itself. When I open any website a brand new pop-up is opening.

I desparately need help to fix the Virus problem.

Windows 2000
Norton Anti-Virus
Zone Alam firwall
Spybot
Spyware removal s/w, that comes with Yahoo DSL (I think it is from Microsoft)

I run all the above atleast once a week.
 

A:Solved: Vundo.Trojan Downloader Virus

Read other 13 answers
RELEVANCY SCORE 104.4

I have done all the preparatory actions. AVG Antispyware tells me I am infected with Trojan.Small.fb but cannot remove it. Spy Doctor scan shows Trojan.Downloader.Ruins amd Trojan. DNS Changer.Here is my HijackThis log.Can anyone help please?Logfile of HijackThis v1.99.1Scan saved at 14:49:22, on 01/11/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\SCardSvr.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exeC:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLSer... Read more

A:Infected With Trojan.small.fb, Trojan.downloader.ruins, Trojan.dns Changer

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.Please download FixWareout http://downloads.subratam.org/Fixwareout.exeorhttp://swandog46.geekstogo.com/Fixwareout.exeSave it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed. )Fix these with HJT ? mark them, close IE, click fix checkedO17 - HKLM\System\CCS\Services\Tcpip\..\{05F2BA51-171A-4B1D-AE5F-B8515E38E241}: NameServer = 85.255.115.18,85.255.112.61O17 - HKLM\System\CCS\Services\Tcpip\..\{8269A184-3C5F-41F7-A7E9-581E273A2475}: NameServer = 85.255.115.18,85.255.112.61O17 - HKLM\System\CCS\Services\Tcpip\..\{C0DCAED8-AC99-4371-811A-DDA8BF12F7D8}: NameServer = 85.255.115.18,85.255.112.61O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6801D5-625E-482E-AA33-1FD2EB1B2544}: NameServer = 85.255.115.18,85.255.112.61O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61O17 - HKLM\System\CS1\Services\Tcpip\..\{05... Read more

Read other 6 answers
RELEVANCY SCORE 104.4

This is a business computer and it is very important that it runs properly, been having issues with it for a week now. I have tried running several anti-virus programs to no avail. Currently using Panda, but used some other free software like AVG etc.Hoping you can help me, here is the hijackthis logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 5:12:36 PM, on 2/2/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exeC:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\Program Files\Citrix\GoToMyPC\g2svc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Citrix\GoToMyPC\g2comm.exeC:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exeC:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exeC:\Program Files\Citrix\GoToMyPC\g2pre.exeC:\Program Files�... Read more

A:Business computer infected with Trojan/CI.A, Trojan Downloader.MDW, and Generic Trojan

Hi,This is a business computer and it is very important that it runs properlyNot sure if you're aware how severly infected this computer is.Since you are posting a log from a Company owned computer... There are a few things that need attention first before we proceed with this..* You must inform your Supervisor immediately.This because of:Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.If sensitive material is compromised by an infection, your company could be held liable.* Your Company must give permission for us to give you assistance.This because of:We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.There may be sensitive material on your computer that your company would not want revealed in an open forum.Also, since this is a computer used at work - the first thing I always advise is to back up important files you don't want to lose, this since malware causes a system unstable and it may happen that it suddenly won't boot anymore, because of the damage already present.Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I ca... Read more

Read other 2 answers
RELEVANCY SCORE 104.4

I'm was infected with Virtumonde because I had the pop-up window with saying I was infected with the one virus that it says and then lead you to another site with a virus scan but I got rid of those I think. The problem that I am having is something is changing my programs so they do not work like Lava soft Ad-aware when I tried starting it the computer would restart on it own and do it everytime I tried starting it. I ran VundoFix and that seemed to fix most of my problems but when I ran SpySweeper it still says that I have a Trojan-Downloader-Conhook, Adware Zeno search assistant, enbrowser, sidebyside search and a spycookie Aff6007 cookie. My internet is still acting funny, like when I try to play games on Pogo it says Applet(s) in this HTML page requires a version of Java different from the one the browser is currently using. In order to run the Applet(s) in the HTML page, a new browser session is required. Close all the Netscape browser sessions and start a new browser section to run the HTML page which never came up before I had these Trojans. Why did McAfee Internet Security stop these problems? Everytime I run my virus scan it says I am clean, as well as spybot and ad-aware. The only one that says I have a problem is SpySweeper. Any suggestions would be greatly appreciated, sorry if I sound a little confused on what the problem is but I am tired to trying to figure this out thanks it advance.Logfile of HijackThis v1.99.1Scan saved at 7:31:48 PM, on 4/9/2006Pla... Read more

A:Infected With Trojan-downloader-conhook, Trojan.linun, And Trojan.virtumod

Hi,

The forums are really busy, that explains why logs get behind. We start with the oldest logs first. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then I'll take a look.

Read other 10 answers
RELEVANCY SCORE 104.4

Hi Mike !

Don't know what happend !! My windows starts normally, after selecting the user, it dispalys ' loading personal settings'.. After that getting an error ' userint.exe application error' . Reference memory problem. Then it shows my desktop without any Task bar/Status bar and all the icons on my desktop are not displayed. i am accessing the explorer through Task manager using Ctrl+Alt+Del ..

Let me know whether this is an virus infection or some problem with windows registry.
thanks
clement

A:Infected with Trojan.Virtumonde/Trojan-Downloader.Agent.OGP, Help me in removing the trojan

Welcome to BCThe process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all obj... Read more

Read other 4 answers
RELEVANCY SCORE 104.4

Lately my computer has been exceptionally slow. Blue screens a time or two. Ive recognized a few other suspicious things such as 'Service Distribution Software 3.0' trying to install at 3 am for the past 2 weeks. I also looked at my ReportingEvents.log and noticed that even though Microsoft updates were downloading successfully they were not installing since 6-10-2010 (i went ahead and attached a copy of that as well). Also, Firefox was acting really funny. Taking a huge amount of time to load. I also found that even if I shut Firefox down, it was always running. Even if I went to Task Manager to kill firefox.exe, it was very difficult to get it to finally stop running.I even saw a post here saying: ------------------------------------------------------------------------QUOTELets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 localhost, you may have to fix it.Lets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 local... Read more

A:Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?

Hi deetheis,Welcome to Bleeping Computer!My name is mpascal, and I will be helping you fix your problem.Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.If you are unsure of how to reply, or need help with anything regarding the website, please look here.STEP 1 - MBAMOpen Malwarebyte's Anti-Malware.Under the Updates tab, click Check for Updates. Let the updates install (if any).After that, under the Scanner tab, click Perform Quick Scan and then Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Exit MBA... Read more

Read other 2 answers