drfitzer Posted December 22, 2007 Report Share Posted December 22, 2007 I am trying to get rid of a trojan on my daughter's computer. A popup from her Norton antivirus keps appearing which says that there is a Trojan Vundo virus present. It references file c:\WINDOWS\repair\bardobc.dll. Norton says it has tried to repair it and failed, and tried to quarantine it and failed. There are no noticealbe negative effects but I'm sure that there are bad things happening that I can't see. I'm coppying the hijackthis log file below and hoe you can help. Thanks.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:44:40 AM, on 12/22/2007Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\ibmpmsvc.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\NavNT\rtvscan.exeC:\WINDOWS\System32\QCONSVC.EXEC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\80211abg\acs.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\ctfmon.exeC:\Program Files\NavNT\vptray.exeC:\WINDOWS\System32\taskswitch.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\WINDOWS\System32\RunDll32.exeC:\WINDOWS\System32\TpScrLk.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\System32\TpShocks.exeC:\IBMTOOLS\UTILS\ibmprc.exeC:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXEC:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXEC:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exeC:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exeC:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exeC:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exeC:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://student.wfu.edu/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://student.wfu.edu/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {01233619-9E4A-4499-8206-FA8463DAB9E0} - (no file)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {67B27373-E757-4D4D-A73A-1C5C6AA0FE51} - (no file)O2 - BHO: (no name) - {B7490636-DACB-4CE4-A3B5-C65E5D51882C} - C:\WINDOWS\repair\bardobc.dllO3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exeO4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitorO4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXEO4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exeO4 - HKLM\..\Run: [TP4EX] tp4ex.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [TpShocks] TpShocks.exeO4 - HKLM\..\Run: [iBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exeO4 - HKLM\..\Run: [iMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSyncO4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSyncO4 - HKLM\..\Run: [iMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /PreloadO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXEO4 - HKLM\..\Run: [QCWLICON] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exeO4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exeO4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helperO4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\RunOnce: [spybotDeletingA6713] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\EnigmaUpdater.dll_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC7681] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\EnigmaUpdater.dll_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheckO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startupO4 - HKCU\..\RunOnce: [spybotDeletingB5060] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\EnigmaUpdater.dll_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD3748] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\EnigmaUpdater.dll_tobedeleted_old"O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O11 - Options group: [JAVA_IBM] Java (IBM)O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dllO12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dllO12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dllO12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exeO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cabO16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cabO16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cabO16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://www.therealyellowpageslive.net/live/ezlistng.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deacnet.wfu.eduO17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.eduO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deacnet.wfu.eduO20 - Winlogon Notify: bardobc - C:\WINDOWS\repair\bardobc.dllO23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\80211abg\acs.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exeO23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXEO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe Link to post Share on other sites
jwbirdsong Posted December 24, 2007 Report Share Posted December 24, 2007 Download Combofix to your desktop.Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Post this log in your next reply . Link to post Share on other sites
Recommended Posts