Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Vundo Variant

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Vundo Variant

Unread postby RAZOR0018 » April 24th, 2008, 8:05 am

This nasty thing bypassed my internet security. I was able to finally remove it using Super Anti Spy. During the infection I noticed that this thing:

- deleted all my system restore points while creating its own only restore point after infection

-constantly froze explorer in a loop of stopping and restarting itself

-changed my cookie setting in IE

-Modified several modules and services in windows and office

-also started in safe mode

Please excuse my noobness but this is the first time I have ever been infected by malware. But my question is if anyone could tell me everything this thing altered on my system so that I can undo it and prepare my system for a reformat after safely backing up my data. I have the infected file inside of a passworded .rar so if anyone would like to examine the file themselves I can upload it somewhere at their request. Any help would be appreciated. Thank you.

--------------------------------------------------------------------------------------------
ComboFix 08-04-22.5 - RAZOR 2008-04-24 7:28:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.721 [GMT -4:00]
Running from: C:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CbIQWyay.ini
C:\WINDOWS\system32\CbIQWyay.ini2
C:\WINDOWS\system32\config\SAM.SAV

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 07:25 . 2008-04-24 07:25 1,774,233 --a------ C:\ComboFix.exe
2008-04-23 08:54 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-23 08:53 . 2008-04-23 08:54 <DIR> d-------- C:\Program Files\Java
2008-04-23 08:53 . 2008-04-23 08:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-23 07:20 . 2008-04-23 07:20 <DIR> d-------- C:\Program Files\UltraISO
2008-04-23 07:20 . 2008-04-23 07:20 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-04-23 04:42 . 2008-04-23 04:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-23 04:42 . 2008-04-23 04:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 02:40 . 2004-08-04 00:56 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-04-23 02:40 . 2004-08-03 22:29 1,897,408 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-04-23 02:40 . 2001-08-23 08:00 68,608 --a--c--- C:\WINDOWS\system32\dllcache\plugin.ocx
2008-04-23 02:31 . 2004-08-03 22:29 56,623 --a--c--- C:\WINDOWS\system32\dllcache\ati1btxx.sys
2008-04-23 02:31 . 2004-08-03 22:29 30,671 --a--c--- C:\WINDOWS\system32\dllcache\ati1raxx.sys
2008-04-23 02:31 . 2004-08-03 22:29 12,047 --a--c--- C:\WINDOWS\system32\dllcache\ati1pdxx.sys
2008-04-23 02:31 . 2004-08-03 22:29 11,615 --a--c--- C:\WINDOWS\system32\dllcache\ati1mdxx.sys
2008-04-22 15:58 . 2008-02-22 17:20 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-22 15:46 . 2008-04-22 15:47 48,020 --a------ C:\Vundo Variant (bypass).rar
2008-04-22 14:27 . 2008-04-22 14:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 14:27 . 2008-04-22 14:27 <DIR> d-------- C:\Documents and Settings\RAZOR\Application Data\SUPERAntiSpyware.com
2008-04-22 00:51 . 2008-04-22 00:51 <DIR> d-------- C:\Twisted Metal 2 PC (No In Game Movies Version)
2008-04-18 00:30 . 2008-04-18 00:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 00:30 . 2008-04-18 00:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 00:20 . 2008-04-18 00:24 <DIR> d-------- C:\Program Files\DirectX Happy Uninstall
2008-04-17 10:40 . 2008-04-17 10:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-16 22:57 . 2008-04-16 22:57 <DIR> d-------- C:\Program Files\Dragon UnPACKer 5
2008-04-14 02:46 . 2008-04-14 02:55 <DIR> d-------- C:\Program Files\Terminal Reality
2008-04-12 21:46 . 2008-04-18 05:41 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-12 21:46 . 2008-04-18 05:41 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-12 21:45 . 2008-04-12 21:45 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-12 21:45 . 2008-04-24 07:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 21:45 . 2008-04-24 07:32 20,428,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-12 21:45 . 2008-04-24 07:30 277,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-12 21:45 . 2008-04-24 07:30 213,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-12 21:45 . 2008-04-24 07:30 23,084 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-12 21:42 . 2008-04-12 21:42 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-12 21:41 . 2008-04-12 21:41 <DIR> d-------- C:\Program Files\QT Lite
2008-04-12 21:41 . 2008-04-12 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-12 21:41 . 2008-03-28 21:07 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-04-12 21:41 . 2008-03-28 21:07 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-04-12 03:50 . 2008-04-12 03:50 <DIR> d-------- C:\Documents and Settings\RAZOR\Application Data\vlc
2008-04-10 04:06 . 2008-04-11 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-09 18:01 . 2008-04-09 18:02 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-09 18:00 . 2008-04-09 18:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-06 07:37 . 2008-04-06 07:43 <DIR> d-------- C:\Program Files\DriverCleanerDotNET
2008-04-06 02:35 . 2008-04-06 02:35 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-02 14:55 . 2008-04-02 14:57 439,296 --a------ C:\Documents and Settings\RAZOR\GoToAssist_phone__317_en.exe
2008-03-30 02:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-30 02:59 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-30 00:57 . 2008-04-09 17:58 <DIR> d-------- C:\Documents and Settings\RAZOR\Application Data\OfficeUpdate12
2008-03-30 00:56 . 2008-03-30 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-30 00:30 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-30 00:26 . 2008-03-30 00:26 <DIR> dr-h----- C:\MSOCache
2008-03-29 16:09 . 2008-03-29 16:09 635 --a------ C:\WINDOWS\Dc.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 10:58 --------- d-----w C:\Documents and Settings\RAZOR\Application Data\uTorrent
2008-04-22 18:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-16 05:54 --------- d-----w C:\Documents and Settings\RAZOR\Application Data\dvdcss
2008-04-16 04:41 --------- d-----w C:\Program Files\mIRC
2008-04-12 02:17 --------- d-----w C:\Documents and Settings\RAZOR\Application Data\Spycar
2008-04-06 08:18 --------- d-----w C:\Program Files\Debugging Tools for Windows
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 18:49 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-03-10 13:16 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-10 13:16 --------- d--h--r C:\Documents and Settings\RAZOR\Application Data\SecuROM
2008-03-10 10:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 06:25 --------- d-----w C:\Program Files\CDCheck
2008-03-09 13:20 --------- d-----w C:\Program Files\CAPCOM
2008-03-09 11:39 --------- d-----w C:\Program Files\Activision
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-08 22:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-11-05 17:31 42,408 ----a-w C:\Documents and Settings\RAZOR\Application Data\GDIPFONTCACHEV1.DAT
2007-05-26 07:17 24 ----a-w C:\Documents and Settings\RAZOR\mylist.dat
2005-04-01 04:00 619 ---ha-w C:\Documents and Settings\All Users\ASPI_Verify.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]
2008-01-30 17:31 1199104 --a------ C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2005-03-18 12:50 589824]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-22 22:05 344064]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 13:12 144896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll
"vidc.davc"= davcvfw.dll
"msacm.scg726"= scg726.acm
"SENTINEL"= snti386.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=

R0 C2NGOV21;C2NGOV21;C:\WINDOWS\system32\drivers\C2NGOV21.sys [2004-09-09 04:28]
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\system32\drivers\cpuidlep.sys [2005-04-22 08:12]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 vdiskbus;Virtual Disk Bus;C:\WINDOWS\system32\DRIVERS\vdiskbus.sys [2005-01-13 10:06]
S1 atitray;atitray;C:\PROGRA~1\NGOATI~1\ATT\atitray.sys []
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 19:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 19:26]
S3 SaiH0109;SaiH0109;C:\WINDOWS\system32\DRIVERS\SaiH0109.sys [2004-07-26 13:54]
S3 SaiU0109;SaiU0109;C:\WINDOWS\system32\DRIVERS\SaiU0109.sys [2004-07-26 13:54]
S3 SGUARD;SGUARD;C:\WINDOWS\system32\drivers\SGuard.sys []
S3 vnndev;VNN VNC Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vnnvnic.sys [2005-05-12 17:46]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net/
Rootkit scan 2008-04-24 07:31:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\C:\DOCUME~1\RAZOR\LOCALS~1\Temp\ASFWHide"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-04-24 7:33:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 11:33:31

Pre-Run: 55,821,217,792 bytes free
Post-Run: 55,744,593,920 bytes free

173
----------------------------------------------------------------------------------------------







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:14 AM, on 04/24/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\RAZOR\LOCALS~1\Temp\Rar$EX00.031\HijackThis.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8411345593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6852696265
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 4213 bytes


-----------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com/

Generated 04/22/2008 at 03:12 PM

Application Version : 4.0.1154

Core Rules Database Version : 3444
Trace Rules Database Version: 1404

Scan type : Custom Scan
Total Scan Time : 00:04:35

Memory items scanned : 300
Memory threats detected : 2
Registry items scanned : 5125
Registry threats detected : 10
File items scanned : 0
File threats detected : 3

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\CBXPIGWV.DLL
C:\WINDOWS\SYSTEM32\CBXPIGWV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}
HKCR\CLSID\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}
HKCR\CLSID\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}\InprocServer32
HKCR\CLSID\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{F50B3F5E-856E-4757-9BB1-B35D46CA7719}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbXPiGwV

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\YAYWQIBC.DLL
C:\WINDOWS\SYSTEM32\YAYWQIBC.DLL

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E674ADB-39B1-4F32-90F7-B715038B4799}
HKCR\CLSID\{3E674ADB-39B1-4F32-90F7-B715038B4799}
HKCR\CLSID\{3E674ADB-39B1-4F32-90F7-B715038B4799}\InprocServer32
HKCR\CLSID\{3E674ADB-39B1-4F32-90F7-B715038B4799}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\RAZOR\Cookies\razor@server.iad.liveperson[2].txt

Admin edit: http://forums.spybot.info/showthread.php?t=27211
Last edited by tashi on April 24th, 2008, 11:26 am, edited 1 time in total.
Reason: Added link
RAZOR0018
Active Member
 
Posts: 6
Joined: April 24th, 2008, 7:55 am
Advertisement
Register to Remove

Re: Vundo Variant

Unread postby chryssi2001 » April 28th, 2008, 3:00 am

Hello RAZOR0018,

I will be assisting you with your malware issues.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
----------------------------------------------
Combofix is a very strong tool, and it's not adviced to run it without an expert's supervision. It is also updated very often. So please uninstall it.

UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
Delete any logs the tool produced.
----------------------------------------------
Post a new HijackThis log and describe the problems you have now.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Vundo Variant

Unread postby RAZOR0018 » April 28th, 2008, 6:27 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:40 AM, on 04/28/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\RAZOR\LOCALS~1\Temp\Rar$EX00.438\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8411345593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6852696265
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 4276 bytes



I run WinxpSp2. I used combofix by recommendation but was not informed of the potential ill effects. But Superantispy seemed to remove most of the infection while combofix removed the 3 files remaining that were probably now useless but did belong to the infection which I found out by doing some research. I have noticed no negative effects from using combofix nor any other changes in settings or functionality. If there are common issue or something I should look out for because I used combofix please inform me.

I sent the file of Vundo that infected me to my Internet Security's Staff so the suite now detects it. While I was infected I noticed that a few of my windows settings were altered. All cookies were enabled and system retore was hijacked. There could have been more modifications but im not sure. I have manually reset all my IE settings and removing the infection seemed to restore 'system restore'. As a precaution I reset all my windows services to default and updated my IE blacklist and host file using IE-Spyad, Spyblaster and MVPS HOSTS.

I no longer notice any negative effects on my computer however I still would like to know if it is possible to discover what other settings this thing could have altered under my nose? I still have it inside the same password protected rar I used to send it to my Internet Security's team. If you would like I would be happy to upload it. Thank you so far in your help with this matter.
RAZOR0018
Active Member
 
Posts: 6
Joined: April 24th, 2008, 7:55 am

Re: Vundo Variant

Unread postby chryssi2001 » April 28th, 2008, 7:45 am

Hello RAZOR0018 :),

Is this the password protected file you created with the infected file?
Unfortunately vundo infected files are randomly named, so even if you uploaded it, there are so many different named files downloaded with the infection which makes it impossible for Anti-Virus applications to cover them all.

C:\Vundo Variant (bypass).rar

You can remove it now.

Vundo can disable Anti-Virus programs, task manager, and administration policies.
Do you have any problem with any of these?
----------------------------------------------
This is an old dated file which excist on your pc. Do you know what it is?
I can't find any information about it.
It's dated 01.04.2005.

C:\Documents and Settings\All Users\ASPI_Verify.bat
----------------------------------------------
Currently, you have HijackThis located in your Temporary files. In order to keep it together with the backups it makes, we need to move it to it's own folder.

Please remove the below bolded folder:

C:\DOCUME~1\RAZOR\LOCALS~1\Temp\Rar$EX00.438\HijackThis.exe
----------------------------------------------
Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Do not run it yet!
----------------------------------------------
Download OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.
Do not run it yet!
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present << remove this line if you didn't set these policies.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present << remove this line if you didn't set these policies.


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Run OTMoveIt2
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\WINDOWS\Dc.INI
C:\Documents and Settings\RAZOR\Application Data\Spycar

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A new HijackThis log.
Answer about his file:
C:\Documents and Settings\All Users\ASPI_Verify.bat
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Vundo Variant

Unread postby RAZOR0018 » April 28th, 2008, 2:11 pm

Vundo can disable Anti-Virus programs, task manager, and administration policies.
Do you have any problem with any of these?


Dont know anything about administration policies but my AV and task manager is fine.

This is an old dated file which excist on your pc. Do you know what it is?
I can't find any information about it.
It's dated 01.04.2005.

C:\Documents and Settings\All Users\ASPI_Verify.bat


Not a clue.

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt2


C:\WINDOWS\Dc.INI moved successfully.
C:\Documents and Settings\RAZOR\Application Data\Spycar\spyguardcombotes moved successfully.
C:\Documents and Settings\RAZOR\Application Data\Spycar\onlinearmor moved successfully.
C:\Documents and Settings\RAZOR\Application Data\Spycar\oatest2 moved successfully.
C:\Documents and Settings\RAZOR\Application Data\Spycar\counterspytest moved successfully.
C:\Documents and Settings\RAZOR\Application Data\Spycar\avira moved successfully.
C:\Documents and Settings\RAZOR\Application Data\Spycar moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_132501

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post that log back here
.

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 81604
Time elapsed: 28 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
D:\Saved Torrents\DirectX Happy Uninstall v3.97\keygen.exe (Trojan.DownLoader) -> Not selected for removal.

Post back:
A new HijackThis log.


Logfile of HijackThis v1.99.1
Scan saved at 2:09:57 PM, on 04/28/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8411345593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6852696265
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe



Also on a side note. I noticed file extensions was enabled as a side effect to following these instructions. I went ahead choose to hide them again. Any other side effects I should look out for or have to reconfigure?
RAZOR0018
Active Member
 
Posts: 6
Joined: April 24th, 2008, 7:55 am

Re: Vundo Variant

Unread postby chryssi2001 » April 28th, 2008, 4:34 pm

Hi RAZOR018,

Dont know anything about administration policies but my AV and task manager is fine.

Ok, that's fine.
----------------------------------------------
Also on a side note. I noticed file extensions was enabled as a side effect to following these instructions. I went ahead choose to hide them again. Any other side effects I should look out for or have to reconfigure?

No, other side effects.
You can wait untill we finish cleaning and then hide Folders and Files again.
----------------------------------------------
Malwarebytes' Anti-Malware report shows this not cleaned.
What's the D:\ Drive? We need to clean it.
Please re-run Malwarebytes' Anti-Malware to clean D:\ Drive and post back the report.

D:\Saved Torrents\DirectX Happy Uninstall v3.97\keygen.exe (Trojan.DownLoader) -> Not selected for removal.
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 6 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u6-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
----------------------------------------------
I can't locate a Firewall in your reports.
Does Kaspersky Internet Security 7.0 includes one?
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report for D:\ Drive.
Answer about Firewall.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Vundo Variant

Unread postby RAZOR0018 » April 29th, 2008, 6:35 am

Malwarebytes' Anti-Malware report shows this not cleaned.
What's the D:\ Drive? We need to clean it.
Please re-run Malwarebytes' Anti-Malware to clean D:\ Drive and post back the report.

D:\Saved Torrents\DirectX Happy Uninstall v3.97\keygen.exe (Trojan.DownLoader) -> Not selected for removal.


D drive is just my secondary hard drive where i save all my important files. I did not remove the file because I am 100% certain it is a false positive.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.

Go to http://java.sun.com/javase/downloads/index.jsp

Go to Java Runtime Environment (JRE) 6 Update 6 and click on Download button.
In Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u6-windows-i586-p.exe" and save the downloaded file to your desktop.
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer


Done

I can't locate a Firewall in your reports.
Does Kaspersky Internet Security 7.0 includes one?


Yes

Post back:A new HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 6:31:24 AM, on 04/29/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8411345593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6852696265
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe


Quick question. I know what the spycar files are but what is this?
C:\WINDOWS\Dc.INI moved successfully.
RAZOR0018
Active Member
 
Posts: 6
Joined: April 24th, 2008, 7:55 am

Re: Vundo Variant

Unread postby chryssi2001 » April 29th, 2008, 8:13 am

Hello RAZOR0018,

Quick question. I know what the spycar files are but what is this?
C:\WINDOWS\Dc.INI moved successfully

TrojanDownloader.Agent.bq !!!
-----------------------------------------------
D drive is just my secondary hard drive where i save all my important files. I did not remove the file because I am 100% certain it is a false positive.

D:\Saved Torrents\DirectX Happy Uninstall v3.97\keygen.exe (Trojan.DownLoader)


It's not a false positive since it's flagged by Malwarebytes' Anti-Malware as a Trojan.Downloader!!. Read >>HERE<<.
Please remove it using Malwarebytes' Anti-Malware and post back the report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Vundo Variant

Unread postby RAZOR0018 » April 29th, 2008, 9:16 am

http://www.threatexpert.com/report.aspx ... dfd31846fe

Packed with a packer that is known to be used by malware

That is the only reason it was detected. As you can see it contains nor writes nothing malicious. Can we move on please.
RAZOR0018
Active Member
 
Posts: 6
Joined: April 24th, 2008, 7:55 am

Re: Vundo Variant

Unread postby chryssi2001 » April 29th, 2008, 12:38 pm

Hi RAZOR0018,

Please read this - http://malwareremoval.com/forum/viewtopic.php?t=550

The copy of DirectX Happy Uninstall doesn't appear to be legal. If you want to continue, you have to remove DirectX Happy Uninstall and the keygen.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Vundo Variant

Unread postby RAZOR0018 » April 29th, 2008, 12:59 pm

The copy of DirectX Happy Uninstall doesn't appear to be legal. If you want to continue, you have to remove DirectX Happy Uninstall and the keygen.

Done. :)

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 81544
Time elapsed: 28 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of HijackThis v1.99.1
Scan saved at 12:55:41 PM, on 04/29/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8411345593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6852696265
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
RAZOR0018
Active Member
 
Posts: 6
Joined: April 24th, 2008, 7:55 am

Re: Vundo Variant

Unread postby chryssi2001 » April 29th, 2008, 1:18 pm

Hello RAZOR0018,

Nice decision. :)
----------------------------------------------
Congratulations you are clean! :cheers:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

or

Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above.

Here are some free programs I recommend that could help you improve your computer's security.
(Vista users must ensure that any programs are Vista compatible BEFORE installing)

Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Vundo Variant

Unread postby Gary R » April 30th, 2008, 7:48 am

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 53 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware