# Solved: Help with Trojan.Vundo



## rktect (Oct 5, 2005)

I need some help getting Trojan.Vundo off of my computer. Norton Antivirus tells me that I have it, but it can't quarantine or remove it because it is in use. When I run the Norton FixVundo utility it tells me that it's not on my computer. I have tried everything except HJT, and I'm ready to post a log of HJT to be reviewed. The infected file is C:\Documents and Settings/Owner/Local Settings/Temp/dmclitu.dat.

Any help is appreciated, rktect


----------



## TheDelphiGuy (Oct 4, 2005)

Can you make Norton sweep on startup and then delete it? Because then, Norton will be the first process to load so Vundo will not load into the memory yet and you can delete it with no hassle  (i hope)

EDIT: It's a dat file? Dat files are harmless...I suggest deleting it manually or my suggestion on the top.


----------



## D_Trojanator (May 13, 2005)

Hi my name is *David*









*Click here *   to download HJTsetup.exe
Save *HJTsetup.exe* to your desktop.

Double click on the *HJTsetup.exe* icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click *Next* in the setup dialogue boxes until you get to the "*Select Addition Tasks*" dialogue.
Put a check by *Create a desktop icon * then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch *Hijack This*.
Click on the *"Do a system scan and save a log file"* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "*Edit* > *Select All*" then click on "*Edit * > *Copy*" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.*


----------



## rktect (Oct 5, 2005)

This HJT log was run in Safe Mode.

I didn't state it initially, but the computer is running Windows XP.

Logfile of HijackThis v1.99.1
Scan saved at 1:27:29 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Help\starter\utilcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dmclitu.dat (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunOnce: [*utilcmd] C:\WINNT\Help\starter\utilcmd.exe rerun
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118365198484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124246576234
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
O20 - Winlogon Notify: catsrv - C:\DOCUME~1\Owner\LOCALS~1\Temp\vrstac.dat (file missing)
O20 - Winlogon Notify: cmddns - C:\DOCUME~1\Owner\LOCALS~1\Temp\snddmc.dat (file missing)
O20 - Winlogon Notify: infow - C:\DOCUME~1\Owner\LOCALS~1\Temp\wofni.dat (file missing)
O20 - Winlogon Notify: netmc - C:\DOCUME~1\Owner\LOCALS~1\Temp\cmten.dat (file missing)
O20 - Winlogon Notify: urlkey - C:\DOCUME~1\Owner\LOCALS~1\Temp\yeklru.dat (file missing)
O20 - Winlogon Notify: utilcmd - C:\DOCUME~1\Owner\LOCALS~1\Temp\dmclitu.dat
O20 - Winlogon Notify: webvga - C:\DOCUME~1\Owner\LOCALS~1\Temp\agvbew.dat (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Unknown owner - C:\Program Files\Borland\Interbase\Bin\IBServer.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks


----------



## D_Trojanator (May 13, 2005)

Please download *ewido security suite* (free), and instal it.
When installing, under *Additional Options* uncheck both *Install background guard* and *Install scan via context menu*. 
When you run Ewido for the first time, you could get a warning "Database could not be found!". Click *Ok*. 
The program will prompt you to update. Click the *Ok* button. 
The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
On the left-hand side of the main screen click the *Update* button. 
Click on *Start*. The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido._* Do NOT run it yet.*_

(If you have problems updating, you can use *this link* to manually update Ewido. 
*Make sure that Ewido is closed when installing the update*.)

*DO NOT RUN IT YET!*

---------------------------------------------------------------------------------

*CleanUp!*

*Download Cleanup from *Here* 

 A window will open and choose *SAVE*, then *DESKTOP* as the destination.
 On your Desktop, click on *Cleanup40.exe icon.*
 Then, click *RUN* and place a checkmark beside "*I Agree*"
 Then click *NEXT* followed by *START* and *OK.*
 A window will appear with many choices, *keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.*
 Click* OK*
 *DO NOT RUN IT YET!*

---------------------------------------------------------------------------------

Once you have downloaded both programs........
To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
*Please close ALL open Windows, Programs and Folders,* and run a full scan with Ewido.
Click on *Scanner * 
Click on *Settings * 
Under *How to scan* all boxes should be checked 
Under *Unwanted Software* all boxes should be checked 
Under *What to scan* select *Scan every file * 
Click on *Ok* 
Click on *Complete System Scan* to start the scan process. 
Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says *Perform action on all infections*, then choose *clean *and click *Ok. *

Once the scan has completed, there will be a button located on the bottom of the screen named *Save Report*.
Click *Save Report* button 
Save the report to your Desktop
Close Ewido.

* Run Cleanup:
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.


----------



## rktect (Oct 5, 2005)

David,

Thank you so much for your help. It seems to be working fine now.

Rktect


----------



## D_Trojanator (May 13, 2005)

If your sure then:

As the problem in this thread seems to have been fixed, we ask you to mark this thread as solved!

To do this please click on the "thread tools" button in the top right hand corner and click on "solved"

If you wish the thread to be re-opened at any time, please PM a _moderator_!

*If my help has worked, you can rate me with affero, see the link in my sig! No need to donate though!*

David


----------



## D_Trojanator (May 13, 2005)

FUSNIKKI - please post your problem and log in a new thread in the security forum! 
David


----------



## D_Trojanator (May 13, 2005)

Please all post your problems and logs in a new thread in the security section!
David


----------



## D_Trojanator (May 13, 2005)

nasha828 - please post your log in it's own thread in the security foum! 
David


----------



## EAFiedler (Apr 25, 2000)

This thread has been closed.

If you are having the same problem, please start a new thread in the *Security Forum*.

Thank You


----------

