Options

Help! Hijacked browser, Trojan Vundo.KA

Hello All, I am relatively new to intense computer work, so please excuse me if I use incorrect terminology or have difficulty explaining what is going on.
My sister's laptop had numerous viruses/malware/adaware as a result of failure to update definitions prior to scanning. I have been trying to help her for a few weeks....
I ran malware bytes, ad-aware, Iobit security 360, combofix, and vundo fix... they all come up clean. The internet browser is still hijacked and I get a NT Shutdown authority error every time the computer is rebooted (i have to run the shutdown -a command to do anything on the computer). I have avg 9.0 and this is what it finds:

C:\WINDOWS\system32\csrss.exe(916):\memory_00270000 Trojan Horse Vundo.KA
C:\WINDOWS\system32\csrss.exe(916) Trojan Horse Vundo.KA

The two csrss.exe files on the computer have the exact same date stamp... I read somewhere that may be important...

AVG states to reboot to get rid of the trojan, but subsequent scans still find these trojans.

I ran a hijack this scan if that would help? (Please see below....)

The computer is a toshiba satellite running xp, service pack 3.

Any help would be much appreciated.... I am losing my mind trying to fix this. Thank you for any information!


Logfile of IObit HijackScan v1.0.0.0
Scan saved at 10:35:36, on 2010-2-12

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [SkyTel] SkyTel.EXE
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NDSTray.exe] NDSTray.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [TPSMain] TPSMain.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [TFncKy] TFncKy.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com Explorer Bar - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}SoftwareDistribution.MicrosoftUpdateWebControl.1 - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264592965406
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5}ONLINESCANNER.OnlineScannerCtrl.1 - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.5.0_06 - http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}Java Plug-in 1.5.0_06 - http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.5.0_06 - http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service (DVD-RAM_Service) - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HTTP SSL HTTPFilterEventSystem (HTTPFilterEventSystem) - Unknown - C:\DOCUME~1\Bones\LOCALS~1\Temp\1.tmp srv
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Lavasoft Ad-Aware Service (Lavasoft Ad-Aware Service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr (Swupdtmr) - Unknown - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

Comments

  • edited February 2010
    Hello again,
    I followed the advice of mindsuckr's thread and ran the additional programs and guidance http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde starting with rkill, reinstalling maleware bytes, using vundo fix, installing virtumonde be gone and running that in safe mode. Everything comes up clean, except for AVG. Any suggestions? Other than throwing this computer out of a high rise window? Thanks again,

    Jay
  • edited February 2010
    I also ran a Kaspersky Online scan, below is the log.
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Saturday, February 13, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, February 13, 2010 21:29:47
    Records in database: 3496508

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 76206
    Threats found: 2
    Infected objects found: 4
    Suspicious objects found: 0
    Scan duration: 03:24:06


    File name / Threat / Threats count
    C:\Documents and Settings\Bones\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-2044fd46.zip Infected: Exploit.Java.Gimsh.a 1
    C:\Documents and Settings\Bones\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5286af48-1a7b07a4.zip Infected: Exploit.Java.Gimsh.a 1
    C:\Documents and Settings\Bones\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\sdfg.jar-1bc53eac-3985f168.zip Infected: Trojan-Downloader.Java.OpenStream.ad 1
    C:\Documents and Settings\Bones\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\sdfg.jar-60a663c7-1a11662e.zip Infected: Trojan-Downloader.Java.OpenStream.ad 1

    Selected area has been scanned.

    It would be nice if you could just locate these files and delete them. After all of the time I have spent so far, I hope it isn't quite that easy. Not that I want it to be difficult...
    Again, thanks to anyone who has any suggestions.
    J
Sign In or Register to comment.