Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan.Vundo infected my computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan.Vundo infected my computer

Unread postby fonshee » March 4th, 2009, 2:48 am

Hi, my story in a nutshell:

- Trojan.vundo has infected my computer recently and it brought various malware/spyware into my computer (eg. downloader.mislead.app, bloodhound.exploint.213. )

- I have Norton Antivirus that was able to quarantine these spywares but from what I understand Norton does not always catch these malwares/spywares. I have deleted most of it I believe but I think Norton may have missed a couple.

- Recently, when I start up my Windows XP, an error shows up - "error loading C:\windows\system32\pgkxhoob.dll". "The specified module could not be found."

- I ran a hjackthis log below. Please help. Please let me know if I can provide additional information.
Thank you in advance!
Last edited by fonshee on March 19th, 2009, 7:35 pm, edited 2 times in total.
fonshee
Active Member
 
Posts: 12
Joined: March 4th, 2009, 2:37 am
Advertisement
Register to Remove

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 5th, 2009, 10:05 pm

Hello ,

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to expain or go more into depth for you. :)
  2. I am still in training, so my responses may take more time than usual because all of my posts must be checked by an expert or teacher.
    Also, please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replys in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.
  6. Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.

Make an Uninstall List

Next, please make an uninstall list using HijackThis.
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Please also include a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 7th, 2009, 6:34 pm

Hi there,

I have Norton Antivirus that was able to quarantine these spyware but from what I understand Norton does not always catch these malwares/spywares. I have delete most of it I believe but I think Norton may have missed a couple.

Correct, antiviruses don't always catch everything. That's why we are here. ;)

Recently, when I start up my Windows XP, an error shows up - "error loading C:\windows\system32\pgkxhoob.dll". "The specified module could not be found."

We will be able to fix that. :)

I ran a hjackthis log below. Please help. Please let me know if I can provide additional information.
Thank you in advance!

Your welcome.

HostsXpert
Please download HostsXpert from Funkytoad and save it to your desktop.

  1. Right click on HostsXpert.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Once done, check (tick) the Show extracted files box and click Finish.
  5. Once extracted, HostsXpert folder will open.
  6. Double click on HostsXpert.exe to start it.
  7. On your left hand side, click on Restore MS Hosts File (see screenshot below, boxed up in red).

    Image
  8. Exit HostsXpert.

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    O4 - HKLM\..\Run: [b4607690] rundll32.exe "C:\WINDOWS\system32\pgkxhoob.dll",b
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Fix registry entries

Warning. Please note that this fix is specific for this poster and should not be used by anyone else:

1.Backup Your Registry with ERUNT
  • Please download ERUNT from here.
  • Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: If you ever need to restore your registry in case something breaks, go to the folder and start ERDNT.exe

2. Please do this:
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop
Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

Make sure there are NO blank lines before REGEDIT4

Then double-click on the fix.reg file, and when it prompts to merge say yes.

Please Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

In your next reply, please include:
  1. MBAM log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan.Vundo infected my computer

Unread postby fonshee » March 9th, 2009, 12:00 am

Hi Adam, I appreciate your response and help. I just downloaded the malware program and deleted the error that has came up. I had ran several programs in the past couple of days shortly after the post and was able to clean up most of the files. I do want to run through your suggestions with backing up and restoring my registries, but I just quickly ran the malware program and hijackthis for the logs. Is there anything else I can remove with hijackthis? Malwarebytes came up with nothing. Is it safe to say I'm clean or will the adware/spyware come back?
Last edited by fonshee on March 19th, 2009, 7:35 pm, edited 1 time in total.
fonshee
Active Member
 
Posts: 12
Joined: March 4th, 2009, 2:37 am

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 9th, 2009, 6:48 pm

Hi there,

The fixing of the registry entry is not optional. There is malware associated with the entry that I am having you fix and it is for your systems security that I am having you do it. I will take a few more steps to make sure that you are clean before sending you on your way. :)

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Uninstall Bad Programs
We are going to uninstall some bad stuff now.
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if found):

    Browser Address Error Redirector
    GoogleAFE

Now you can close Add/Remove Programs.

Fix registry entries

Warning. Please note that this fix is specific for this poster and should not be used by anyone else:

1.Backup Your Registry with ERUNT
  • Please download ERUNT from here.
  • Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: If you ever need to restore your registry in case something breaks, go to the folder and start ERDNT.exe

2. Please do this:
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop
Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

Make sure there are NO blank lines before REGEDIT4

Then double-click on the fix.reg file, and when it prompts to merge say yes.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. Kaspersky report
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan.Vundo infected my computer

Unread postby fonshee » March 11th, 2009, 12:46 am

Kaspersky:
Last edited by fonshee on March 19th, 2009, 7:36 pm, edited 1 time in total.
fonshee
Active Member
 
Posts: 12
Joined: March 4th, 2009, 2:37 am

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 11th, 2009, 11:35 pm

Hello,

It seems that there was an error, please re-do this part:


Fix registry entries

Warning. Please note that this fix is specific for this poster and should not be used by anyone else:

1.Backup Your Registry with ERUNT
  • Please download ERUNT from here.
  • Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: If you ever need to restore your registry in case something breaks, go to the folder and start ERDNT.exe

2. Please do this:
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop
Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

Make sure there are NO blank lines before REGEDIT4

Then double-click on the fix.reg file, and when it prompts to merge say yes.

When done, please post another new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan.Vundo infected my computer

Unread postby fonshee » March 12th, 2009, 12:01 am

...
Last edited by fonshee on March 19th, 2009, 7:37 pm, edited 1 time in total.
fonshee
Active Member
 
Posts: 12
Joined: March 4th, 2009, 2:37 am

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 12th, 2009, 10:11 pm

Hello,

Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Please also post a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan.Vundo infected my computer

Unread postby fonshee » March 15th, 2009, 10:50 pm

.
Last edited by fonshee on March 19th, 2009, 7:38 pm, edited 1 time in total.
fonshee
Active Member
 
Posts: 12
Joined: March 4th, 2009, 2:37 am

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 16th, 2009, 12:18 pm

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place and post it in your next reply.
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan.Vundo infected my computer

Unread postby fonshee » March 16th, 2009, 8:38 pm

.
Last edited by fonshee on March 19th, 2009, 7:39 pm, edited 1 time in total.
fonshee
Active Member
 
Posts: 12
Joined: March 4th, 2009, 2:37 am

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 17th, 2009, 12:22 am

P2P Warning!

With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue:

  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate the following programs and click on the Change/Remove button to uninstall them.

    BitTorrent 5.0.7
    Nero 6 Ultra Edition

  3. Close Add/Remove Programs and Control Panel when done.

Please post a fresh HijackThis log and uninstall list when you are done.

If you have not replied within 48 hours of this post, then this topic will be closed.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan.Vundo infected my computer

Unread postby fonshee » March 17th, 2009, 1:01 am

Hi,

My computer had a "Spyware Protector 2009 demo" pop up after my firewall turned off by itself. It started to scan my computer and listed a bunch of trojans and password retrievers. I've never downloaded this program so I immediately turned off my computer and restarted into safe mode. In safe mode I used the Malware bytes and removed infected files. I then also used the hijackthis program to remove a file that you previous had ask me to remove and norton antivirus scanned after. Here are the hijackthis log and uninstall list:

hijackthis log:
Last edited by fonshee on March 19th, 2009, 7:40 pm, edited 1 time in total.
fonshee
Active Member
 
Posts: 12
Joined: March 4th, 2009, 2:37 am

Re: Trojan.Vundo infected my computer

Unread postby Axephilic » March 17th, 2009, 9:12 pm

Hi there,

Thank you for removing those things. :)

Run ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\program files\Nero_Burning_ROM_v6[1].6.0.13_+_Vision_Express_v3.1.0.7_+_Codecpack_+_Key.torrent
c:\program files\BitTorrent-5.0.6.exe
c:\program files\Bit_Torrent.3384303.TPB.torrent
c:\program files\Mozilla Firefox\plugins\npbittorrent.dll


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include:
  1. ComboFix log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware