[Vundo] Ran all spyware software.. still have Vundo..

Forums » Up and Running » Security » Security Cleanup » [Vundo] Ran all spyware software.. still have Vundo..


Uniqs: 794	Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:	Post a:	Post a:

Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona

Infected with CoolWebSearch and New Malware.z »
« [Trojan] trojan + vitrumonde

Ap4mvp
Premium
join:2001-01-18
Chesterfield, MO

2 edits

[Vundo] Ran all spyware software.. still have Vundo..

Hi all I ran all the spyware progs listed on the site and even ran vundofix.. The virus keeps coming back.. Here is my HJT..

Any help is appreciated..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:03 PM, on 5/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: {328bb398-7515-7ea8-6634-8d1a91b6a7b2} - {2b7a6b19-a1d8-4366-8ae7-5157893bb823} - C:\Windows\system32\sfkwipus.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8BF46375-ADA7-45E8-B948-C2DEB8DEA5BA} - C:\Windows\system32\ssqPhffe.dll
O2 - BHO: (no name) - {C1349062-D1A1-40DB-83CD-68CADE84FC37} - C:\Windows\system32\vTLcCvTk.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\urQKcCvw.dll,#1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: iPhoneRingToneMaker.lnk = C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 11117 bytes

HJT Log file now V2.0.2

permalink · 2008-05-30 20:10:00 · Print ·

bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:

·Verizon Online DSL

1 edit

Re: [Vundo] Ran all spyware software.. still have Vundo..

First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Use the Add or Remove Installed Programs option to uninstall any entry resembling "MalwareBot". You may not see it.

Please download ATF Cleaner »www.atribune.org/ccount/click.php?id=1
It does not require any installation.. It is set up to clean Windows 2k, XP & Vista TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.
For all browsers:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

Reconfigure Windows Vista to show hidden files:
To enable the viewing of Hidden files follow these steps:
•Close all programs so that you are at your desktop.
•Open the Control Panel menu and click Folder Options.
•After the new window appears select the View tab.
•Put a checkmark in the checkbox labeled Display the contents of system folders.
•Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
•Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
•Remove the checkmark from the checkbox labeled Hide protected operating system files.
•Press the Apply button and then the OK button and exit My Computer.
•Now your computer is configured to show all hidden files. Malware Removal Steps

1. Open HijackThis again, System scan only. Checkmark these items:

O2 - BHO: {328bb398-7515-7ea8-6634-8d1a91b6a7b2} - {2b7a6b19-a1d8-4366-8ae7-5157893bb823} - C:\Windows\system32\sfkwipus.dll
O2 - BHO: (no name) - {8BF46375-ADA7-45E8-B948-C2DEB8DEA5BA} - C:\Windows\system32\ssqPhffe.dll
O2 - BHO: (no name) - {C1349062-D1A1-40DB-83CD-68CADE84FC37} - C:\Windows\system32\vTLcCvTk.dll (file missing)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\urQKcCvw.dll,#1
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:

Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

• On the Scanner tab, make sure the the Perform quick scan option is Un-selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK.

• Now click Show Results. Make sure all entries have a checkmark at their far left.
• You should now click on the Remove Selected button to remove all the listed malware.

MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

3. Download -- but do not yet run -- ComboFix©

Download this file -- to your Desktop -- [/b]from any of these sources:

Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":

Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Check that it includes all the entries from the Code Box. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:

When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

4. Run HijackThis again, and save the log file.

Submit to the Forum:
• Your MBAM log results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

permalink · 2008-05-30 21:16:51 · Print ·

Ap4mvp
Premium
join:2001-01-18
Chesterfield, MO

Re: [Vundo] Ran all spyware software.. still have Vundo..

here are the logs.. I dont think Combofix worked correctly, my pc rebooted while doing this..

Malwarebytes' Anti-Malware 1.14
Database version: 807

11:16:00 PM 5/30/2008
mbam-log-5-30-2008 (23-16-00).txt

Scan type: Full Scan (C:\|J:\|)
Objects scanned: 137114
Time elapsed: 2 hour(s), 21 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\ssqPhffe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\urQKcCvw.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{38a6ce15-d55d-429c-a2a3-6a2d5198efdc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8bf46375-ada7-45e8-b948-c2deb8dea5ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8bf46375-ada7-45e8-b948-c2deb8dea5ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0cf5d165-517e-48b6-b3c7-3054a24f8bf6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0cf5d165-517e-48b6-b3c7-3054a24f8bf6} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqphffe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ssqPhffe.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\urQKcCvw.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080530-202822-173.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Bry4n\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1EY0JTRI\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Bry4n\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFJSP2DF\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Bry4n\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZ7NG8GF\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jkkJdBsp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pmNgHXRl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\qoMcyWnl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

ComboFix 08-05-29.1 - Bry4n 2008-05-30 23:26:54.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1260 [GMT -5:00]
Running from: C:\Users\Bry4n\Desktop\ComboFix.exe
Command switches used :: C:\Users\Bry4n\Desktop\CFscript.txt
* Created a new restore point
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:33, on 2008-05-30
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2b7a6b19-a1d8-4366-8ae7-5157893bb823} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C1349062-D1A1-40DB-83CD-68CADE84FC37} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\yayaXOFY.dll,#1
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: iPhoneRingToneMaker.lnk = C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: hpzrcv01.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 9037 bytes
--
Uh-huh, and let me know when Elvis gets here.

permalink · 2008-05-31 00:36:09 · Print ·

Ap4mvp Premium join:2001-01-18 Chesterfield, MO	On second thinking the Combofix said something about not being able to run the program? -- Uh-huh, and let me know when Elvis gets here.
	permalink · 2008-05-31 00:46:18 ·

bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:

·Verizon Online DSL

Re: [Vundo] Ran all spyware software.. still have Vundo..

Combofix will reboot your computer. That is to be expected.

Delete Combofix.exe from your Desktop.
Download it again.

This time you will not use a CFScript file. Just double click Combofix.exe and let it run.

Post back the contents of C:\Combofix.txt when it reboots and then finishes.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

permalink · 2008-05-31 00:59:21 ·

Ap4mvp
Premium
join:2001-01-18
Chesterfield, MO

Re: [Vundo] Ran all spyware software.. still have Vundo..

K that worked.. here ya go..

ComboFix 08-05-29.1 - Bry4n 2008-05-30 12:04:36.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1336 [GMT -5:00]
Running from: C:\Users\Bry4n\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\AutoRun.inf
C:\Windows\System32\effhPqss.ini
C:\Windows\System32\effhPqss.ini2
C:\Windows\system32\hqfluscd.ini
C:\Windows\System32\kTvCcLTv.ini
C:\Windows\System32\kTvCcLTv.ini2
C:\Windows\system32\mcrh.tmp
C:\Windows\System32\ocklxenh.ini
C:\Windows\system32\qgmewliy.ini
C:\Windows\system32\sfkwipus.dll
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 20:47 . 2008-05-30 20:47 d-------- C:\Users\Bry4n\AppData\Roaming\Malwarebytes
2008-05-30 20:47 . 2008-05-30 20:47 d-------- C:\Users\All Users\Malwarebytes
2008-05-30 20:47 . 2008-05-30 20:47 d-------- C:\ProgramData\Malwarebytes
2008-05-30 20:47 . 2008-05-30 20:47 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 20:47 . 2008-05-30 01:06 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-30 20:47 . 2008-05-30 01:06 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-30 20:45 . 2008-05-30 20:45 d-------- C:\Users\All Users\Hewlett-Packard
2008-05-30 20:45 . 2008-05-30 20:45 d-------- C:\ProgramData\Hewlett-Packard
2008-05-30 20:37 . 2007-03-28 14:01 118,272 --a------ C:\Windows\System32\hpz3l5ha.dll
2008-05-30 20:35 . 2008-05-30 20:35 d-------- C:\Program Files\HP
2008-05-30 20:33 . 2008-05-30 20:33 d-------- C:\Users\All Users\HP
2008-05-30 20:33 . 2008-05-30 20:33 d-------- C:\ProgramData\HP
2008-05-30 20:33 . 2007-03-17 15:39 958,464 --a------ C:\Windows\System32\hpotiop4.dll
2008-05-30 20:33 . 2007-03-17 15:39 675,840 --a------ C:\Windows\System32\hpowiax4.dll
2008-05-30 20:33 . 2007-03-08 14:20 364,544 --a------ C:\Windows\System32\hppldcoi.dll
2008-05-30 20:33 . 2007-03-08 14:20 309,760 --a------ C:\Windows\System32\difxapi.dll
2008-05-30 20:33 . 2007-03-17 15:39 303,104 --a------ C:\Windows\System32\hpovst11.dll
2008-05-30 20:33 . 2007-03-31 00:29 267,864 --a------ C:\Windows\System32\hpzids01.dll
2008-05-30 20:33 . 2008-05-30 20:35 121,273 --a------ C:\Windows\hpoins15.dat
2008-05-30 20:33 . 2007-09-21 10:15 1,037 --------- C:\Windows\hpomdl15.dat
2008-05-30 19:20 . 2008-05-30 19:20 d-------- C:\Program Files\Trend Micro
2008-05-30 17:24 . 2008-05-30 17:24 d-------- C:\Windows\Sun
2008-05-30 17:03 . 2008-05-30 23:21 d-a------ C:\Users\All Users\TEMP
2008-05-30 17:03 . 2008-05-30 23:21 d-a------ C:\ProgramData\TEMP
2008-05-30 17:02 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-05-30 17:02 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-05-30 17:02 . 2008-02-01 12:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-05-30 17:02 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-05-30 17:01 . 2008-05-30 17:01 d-------- C:\Users\Bry4n\AppData\Roaming\PC Tools
2008-05-30 17:01 . 2008-05-30 23:28 d-------- C:\Program Files\Spyware Doctor
2008-05-30 16:59 . 2008-05-30 17:04 d-------- C:\Program Files\Java
2008-05-30 16:59 . 2008-05-30 16:59 d-------- C:\Program Files\Common Files\Java
2008-05-30 16:09 . 2008-05-30 16:09 d-------- C:\Program Files\MSXML 4.0
2008-05-30 16:09 . 2008-05-30 16:12 d-------- C:\Program Files\EsetOnlineScanner
2008-05-30 14:40 . 2008-05-30 16:04 153 --a------ C:\Windows\wininit.ini
2008-05-30 14:07 . 2008-05-30 14:07 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-05-30 13:27 . 2008-05-30 18:01 d-------- C:\VundoFix Backups
2008-05-30 12:45 . 2008-05-30 12:47 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-30 12:45 . 2008-05-30 12:47 d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-30 12:45 . 2008-05-30 12:45 d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 08:14 . 2008-05-29 08:14 0 --ah----- C:\Users\Default.LOG2
2008-05-29 08:14 . 2008-05-29 08:14 0 --ah----- C:\Users\Default.LOG1
2008-05-29 08:14 . 2008-05-29 08:14 0 --ah----- C:\ProgramData.LOG2
2008-05-29 08:14 . 2008-05-29 08:14 0 --ah----- C:\ProgramData.LOG1
2008-05-29 02:14 . 2008-05-30 20:25 2,375 --a------ C:\rollback.ini
2008-05-29 01:25 . 2008-05-29 01:25 d-------- C:\Users\All Users\CheckPoint
2008-05-29 01:25 . 2008-05-29 01:25 d-------- C:\ProgramData\CheckPoint
2008-05-29 01:25 . 2008-01-09 03:32 276,368 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-05-29 00:46 . 2008-05-30 11:56 d-------- C:\Windows\Internet Logs
2008-05-29 00:30 . 2008-05-29 00:31 d-------- C:\Users\Bry4n\AppData\Roaming\MalwareRemovalBot
2008-05-28 22:08 . 2008-05-28 22:18 d-------- C:\Users\All Users\Lavasoft
2008-05-28 22:08 . 2008-05-28 22:18 d-------- C:\ProgramData\Lavasoft
2008-05-28 22:08 . 2008-05-28 22:08 d-------- C:\Program Files\Lavasoft
2008-05-28 22:07 . 2008-05-28 22:07 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-28 20:22 . 2008-05-28 20:22 d-------- C:\Users\All Users\Hagel Technologies
2008-05-28 20:22 . 2008-05-28 20:22 d-------- C:\ProgramData\Hagel Technologies
2008-05-28 20:22 . 2008-05-28 20:22 d-------- C:\Program Files\DU Meter
2008-05-28 20:17 . 2008-05-30 11:53 69 --a------ C:\Windows\NeroDigital.ini
2008-05-28 20:14 . 2008-05-28 20:14 d-------- C:\Windows\WinAVI Video Converter 9.0
2008-05-28 20:14 . 2008-05-28 20:14 d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-05-28 20:08 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-05-28 20:05 . 2008-05-28 20:05 d-------- C:\Program Files\Microsoft Works
2008-05-28 20:01 . 2008-05-28 20:01 d-------- C:\Windows\PCHEALTH
2008-05-28 20:01 . 2008-05-28 20:01 d-------- C:\Program Files\Microsoft.NET
2008-05-28 19:58 . 2008-05-28 19:58 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-28 19:57 . 2008-05-28 20:10 d-------- C:\Users\All Users\Microsoft Help
2008-05-28 19:57 . 2008-05-28 20:10 d-------- C:\ProgramData\Microsoft Help
2008-05-28 19:48 . 2008-05-28 19:54 d-------- C:\Users\Bry4n\AppData\Roaming\Ahead
2008-05-28 19:45 . 2008-05-28 19:45 d-------- C:\Users\All Users\Nero
2008-05-28 19:45 . 2008-05-28 19:45 d-------- C:\ProgramData\Nero
2008-05-28 19:45 . 2008-05-28 19:45 d-------- C:\Program Files\Nero
2008-05-28 19:45 . 2008-05-28 19:47 d-------- C:\Program Files\Common Files\Ahead
2008-05-28 19:33 . 2008-05-28 19:33 d-------- C:\Users\All Users\Adobe Systems
2008-05-28 19:33 . 2008-05-28 19:33 d-------- C:\ProgramData\Adobe Systems
2008-05-28 19:27 . 2008-05-28 19:27 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-28 19:24 . 2008-05-28 19:24 d-------- C:\Users\All Users\Adobe
2008-05-28 19:24 . 2008-05-28 19:27 d-------- C:\Program Files\Common Files\Adobe
2008-05-28 19:20 . 2008-05-30 19:15 d-------- C:\Users\Bry4n\AppData\Roaming\iPhoneRingToneMaker
2008-05-28 19:20 . 2008-05-28 19:20 d-------- C:\Program Files\iPhoneRingToneMaker
2008-05-28 19:11 . 2008-05-28 19:11 d-------- C:\Windows\System32\Macromed
2008-05-28 19:11 . 2008-05-28 19:11 1,160 --a------ C:\Windows\mozver.dat
2008-05-28 19:04 . 2008-05-28 20:13 d-------- C:\Program Files\Microsoft Money 2007
2008-05-28 07:54 . 2008-05-30 11:52 d-------- C:\Program Files\Symantec
2008-05-28 07:54 . 2008-05-30 11:56 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-28 07:26 . 2008-05-30 11:56 d-------- C:\Users\All Users\Symantec
2008-05-28 07:26 . 2008-05-30 11:56 d-------- C:\ProgramData\Symantec
2008-05-28 07:16 . 2008-05-30 12:09 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-28 07:16 . 2008-05-28 07:16 1,409 --a------ C:\Windows\QTFont.for
2008-05-28 04:09 . 2008-05-28 04:09 694,784 --a------ C:\Windows\System32\localspl.dll
2008-05-28 04:08 . 2008-05-28 04:08 2,923,520 --a------ C:\Windows\explorer.exe
2008-05-28 04:07 . 2008-05-28 04:07 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-05-28 04:07 . 2008-05-28 04:07 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-05-28 04:05 . 2008-05-28 04:05 376,320 --a------ C:\Windows\System32\winsrv.dll
2008-05-28 04:05 . 2008-05-28 04:05 49,664 --a------ C:\Windows\System32\csrsrv.dll
2008-05-28 04:03 . 2008-05-28 04:03 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-05-28 04:03 . 2008-05-28 04:03 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-05-28 04:01 . 2008-05-28 04:01 374,456 --a------ C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-05-28 04:00 . 2008-05-28 04:00 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-05-28 04:00 . 2008-05-28 04:00 414,208 --a------ C:\Windows\System32\msscp.dll
2008-05-28 04:00 . 2008-05-28 04:00 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-05-28 04:00 . 2008-05-28 04:00 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-05-28 04:00 . 2008-05-28 04:00 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-05-28 04:00 . 2008-05-28 04:00 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-05-28 03:59 . 2008-05-28 03:59 396,800 --a------ C:\Windows\System32\MPSSVC.dll
2008-05-28 03:59 . 2008-05-28 03:59 392,192 --a------ C:\Windows\System32\FirewallAPI.dll
2008-05-28 03:59 . 2008-05-28 03:59 178,688 --a------ C:\Windows\System32\iphlpsvc.dll
2008-05-28 03:59 . 2008-05-28 03:59 86,016 --a------ C:\Windows\System32\icfupgd.dll
2008-05-28 03:59 . 2008-05-28 03:59 63,488 --a------ C:\Windows\System32\drivers\mpsdrv.sys
2008-05-28 03:59 . 2008-05-28 03:59 61,952 --a------ C:\Windows\System32\cmifw.dll
2008-05-28 03:59 . 2008-05-28 03:59 23,040 --a------ C:\Windows\System32\drivers\tunnel.sys
2008-05-28 03:59 . 2008-05-28 03:59 16,896 --a------ C:\Windows\System32\wfapigp.dll
2008-05-28 03:59 . 2008-05-28 03:59 15,360 --a------ C:\Windows\System32\drivers\TUNMP.SYS
2008-05-28 03:57 . 2008-05-28 03:57 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-05-28 03:57 . 2008-05-28 03:57 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-05-28 03:57 . 2008-05-28 03:57 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-05-28 03:57 . 2008-05-28 03:57 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-05-28 03:57 . 2008-05-28 03:57 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-05-28 03:57 . 2008-05-28 03:57 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-05-28 03:57 . 2008-05-28 03:57 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-05-28 03:57 . 2008-05-28 03:57 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-05-28 03:56 . 2008-05-28 03:56 104,448 --a------ C:\Windows\System32\DWWIN.EXE
2008-05-28 03:55 . 2008-05-28 03:55 1,191,936 --a------ C:\Windows\System32\msxml3.dll
2008-05-28 03:55 . 2008-05-28 03:55 224,768 --a------ C:\Windows\System32\drivers\usbport.sys
2008-05-28 03:55 . 2008-05-28 03:55 192,000 --a------ C:\Windows\System32\drivers\usbhub.sys
2008-05-28 03:55 . 2008-05-28 03:55 73,216 --a------ C:\Windows\System32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 01:05 --------- d-----w C:\Program Files\MSBuild
2008-05-28 12:14 174 --sha-w C:\Program Files\desktop.ini
2008-05-28 12:08 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-28 12:08 --------- d-----w C:\Program Files\Windows Mail
2008-05-28 12:08 --------- d-----w C:\Program Files\Windows Defender
2008-05-28 12:08 --------- d-----w C:\Program Files\Windows Calendar
2008-05-28 09:10 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-05-28 09:10 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-05-28 09:10 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-05-28 09:09 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-05-28 09:09 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-05-28 09:08 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-05-28 09:08 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-05-28 09:08 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-05-28 09:08 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-05-28 08:48 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-05-28 08:48 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-05-28 08:48 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-05-28 08:48 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-05-28 08:48 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-05-28 08:48 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-05-28 08:48 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-05-28 08:36 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-28 08:36 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-05-28 08:36 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-05-28 08:36 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-05-28 08:36 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-05-28 08:32 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2b7a6b19-a1d8-4366-8ae7-5157893bb823}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1349062-D1A1-40DB-83CD-68CADE84FC37}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-15 15:19 2582288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-05-28 01:18 454144]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"MSServer"="rundll32.exe" [2006-11-02 04:45 44544 C:\Windows\System32\rundll32.exe]
"MSConfig"="C:\Windows\System32\msconfig.exe" [2006-11-02 04:45 222208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="" []

C:\Users\Bry4n\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
iPhoneRingToneMaker.lnk - C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe [2008-05-28 19:20:53 1138176]
WinTidy.lnk - C:\Program Files\WinTidy\WinTidy.exe [2001-10-08 06:14:20 585216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{63D1F38F-4644-4620-87F7-A0DC6BA5719A}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{36FC0908-280A-4B25-9579-F77E627046A5}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{87452224-DA98-47B7-9B1C-8E1090213B8F}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{A98384FF-001A-4DFA-8089-8675BA00B784}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{2369248E-F421-472A-A8D3-758B714E6A3D}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1A17C05F-6E59-4BA0-8D8B-94A721372DE5}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B799F487-7BE5-45CC-9A7F-CADD9664F256}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6F1AE458-6338-4DD3-8DED-AD15E62F4213}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{746D6C7A-B5F8-4D20-82D8-AFAB8EBB1C69}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{CFAE4B4B-A39A-48AF-828A-8DBDE3F0495B}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6609C431-01D5-4346-8382-98D74F3F633B}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\SETUP.EXE
\shell\configure\command - E:\SETUP.EXE
\shell\install\command - E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 15:14:50 C:\Windows\Tasks\MalwareRemovalBot Scheduled Scan.job"
- C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.ex
- C:\Program Files\MalwareRemovalBot
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-05-30 12:09:35
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-05-30 12:12:19 - machine was rebooted [Bry4n]
ComboFix-quarantined-files.txt 2008-05-30 17:12:12

Pre-Run: 83,671,408,640 bytes free
Post-Run: 83,721,551,872 bytes free

270 --- E O F --- 2008-05-30 21:13:36
--
Uh-huh, and let me know when Elvis gets here.

permalink · 2008-05-31 01:14:29 · Print ·

bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:

·Verizon Online DSL

3 edits

Do yourself a big favor and remove TeaTimer, part of SpyBot, from your startup. The protection of TeaTimer is simply better handled under Vista with Windows Defender, which also does quite a bit more. See my first reply for instructions on disabling TeaTimer, as it still shows as active on your system -- you want this SpyBot feature gone, not just disabled.

Then, Open HijackThis and "fix" these entries (if they still exist):

O2 - BHO: (no name) - {2b7a6b19-a1d8-4366-8ae7-5157893bb823} - (no file)
O2 - BHO: (no name) - {C1349062-D1A1-40DB-83CD-68CADE84FC37} - (no file)
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\yayaXOFY.dll,#1

I believe we are finished.

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)

• Please download OTMoveIt2 by OldTimer to your Desktop (only):

• Please double-click OTMoveIt.exe to run it.
• Click on the green CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
• After the list has been download you'll be asked if you want to Begin cleanup process? Select "Yes".
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner

, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

• Download and Install Windows Defender by Microsoft (free):

• Download and install Comodo BOClean (free):

• Download, install, and keep updated Spyware Blaster (free):

• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

permalink · 2008-05-31 09:40:01 · Print ·

shiftergreen

join:2008-05-28

Re: [Vundo] Ran all spyware software.. still have Vundo..

Well, I think we are back to what passes for normal. I realize that you and the folks that staff this website do so as a public service. Please accept sincere thanks for your willingness to be there and to help rescue people like me who have been electronically invaded by the bad guys. I hope that I will not need to trouble you again but is a comfort to know that you are available if evil prevails.

THANKS!

permalink · 2008-05-31 23:31:21 ·

Ap4mvp
Premium
join:2001-01-18
Chesterfield, MO

Re: [Vundo] Ran all spyware software.. still have Vundo..

I followed all of the instructions except the new restore point..I couldnt get it to work by right clicking on My computer.. but I took a new HJT.. hows it look..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:27 PM, on 5/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: iPhoneRingToneMaker.lnk = C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: hpzrcv01.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 7132 bytes
--
Uh-huh, and let me know when Elvis gets here.

permalink · 2008-06-01 03:53:32 · Print ·

bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:

·Verizon Online DSL

Re: [Vundo] Ran all spyware software.. still have Vundo..

Click Start, and enter "system" into the Search bar and press Enter. In the menu that opens, click on "System Protect" in the left hand menu.

Note the checked boxes. We will need to recheck them later.
Now uncheck all the checked boxes at this menu:

Click to "Turn System Restore Off" when you see this Prompt:

This removes older infected System Restore Points. We can now re-enable System Restore on your clean system. Repeat the steps, but this time restore the checkmark(s)to the drives to re-enable System Restore.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

permalink · 2008-06-01 07:16:22 · Print ·

Ap4mvp Premium join:2001-01-18 Chesterfield, MO	Re: [Vundo] Ran all spyware software.. still have Vundo.. Ok got it! Everything seems back to normal! Thanks! -- Uh-huh, and let me know when Elvis gets here.
	permalink · 2008-06-01 18:10:57 ·

your comment..

Forums » Up and Running » Security » Security Cleanup	Infected with CoolWebSearch and New Malware.z » « [Trojan] trojan + vitrumonde


Saturday, 05-Dec 00:49:33	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF