Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

TROJAN.VUNDO...can't get rid of it! HELP!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

TROJAN.VUNDO...can't get rid of it! HELP!

Unread postby pcg » November 16th, 2008, 2:13 pm

I'm completely new to this forum, but have heard you guys can help me. My computer is highly infected with 'trojan.vundo'. I have been trying to strip this trojan for over a week now, and after running into several obstacles (including even router malfunction) I was able to run the three logs I know you'd need to help me. Below I have the latest Malwarebytes log, the latest ComboFix log, and the latest HighjackThis log. Hope someone out there can guide me on how to remove this (or these) trojan.
Thanks, PCG

ComboFix 08-11-07.01 - Compaq_Administrator 2008-11-16 11:56:43.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.599 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\program files\Common\helper.sig
c:\windows\IE4 Error Log.txt

((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))

2009-02-06 13:42 . 2008-11-08 12:04 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-06 13:42 . 2008-11-08 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 09:13 . 2008-11-15 09:13 <DIR> d-------- c:\program files\Seagate
2008-11-15 09:13 . 2008-11-15 09:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seagate
2008-11-07 18:45 . 2008-11-07 18:45 120 --ahs---- c:\windows\system32\bimexjix.ini
2008-11-07 18:17 . 2008-11-07 18:17 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 17:59 . 2008-11-07 17:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 17:59 . 2008-11-07 17:59 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2008-11-07 17:59 . 2008-11-07 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 17:59 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 17:59 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-06 17:39 . 2008-11-06 17:39 <DIR> d-------- c:\program files\Lavasoft
2008-11-06 17:39 . 2008-11-06 19:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-06 17:15 . 2008-11-08 12:01 <DIR> d-------- c:\program files\AdwarePro
2008-11-06 16:18 . 2008-11-06 16:18 120 --ahs---- c:\windows\system32\sumcchpi.ini
2008-11-06 16:15 . 2008-11-06 16:16 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\MailFrontier
2008-11-06 16:05 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-05 20:51 . 2008-11-05 20:51 120 --ahs---- c:\windows\system32\hmsvxpjh.ini
2008-11-04 17:41 . 2008-11-04 17:41 120 --ahs---- c:\windows\system32\cmjmjdqf.ini
2008-11-02 13:37 . 2008-11-02 13:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-02 13:36 . 2008-11-02 13:36 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\McAfee
2008-11-02 12:30 . 2008-11-02 12:30 1,489,903 --ahs---- c:\windows\system32\vnbfdqkh.ini
2008-11-02 12:26 . 2008-11-16 11:53 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-02 12:26 . 2008-11-02 12:26 1,409 --a------ c:\windows\QTFont.for
2008-11-01 14:41 . 2008-11-01 14:41 1,489,903 --ahs---- c:\windows\system32\xnvfiqqd.ini
2008-10-31 14:39 . 2008-11-01 14:40 1,489,903 --ahs---- c:\windows\system32\xtgyvedy.ini
2008-10-28 19:03 . 2008-10-15 11:34 337,408 --a------ c:\windows\system32\dllcache\netapi32.dll
2008-10-28 18:56 . 2008-10-28 18:56 <DIR> d-------- c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-10-28 18:56 . 2005-11-24 18:51 245,248 --a------ c:\windows\system32\rt73.sys
2008-10-28 18:56 . 2005-11-24 18:51 245,248 --a------ c:\windows\system32\drivers\rt73.sys
2008-10-28 18:56 . 2003-10-13 14:30 94,208 --a------ c:\windows\system32\GTW32N50.dll
2008-10-28 18:56 . 2005-11-03 16:41 32,768 --a------ c:\windows\system32\GTGina.dll
2008-10-28 18:56 . 2003-09-25 22:28 31,930 --a------ c:\windows\system32\GTNDIS3.VXD
2008-10-28 18:56 . 2008-10-28 18:56 20,747 --a------ c:\windows\system32\drivers\AegisP.sys
2008-10-28 18:56 . 2005-02-01 17:18 17,992 --a------ c:\windows\system32\drivers\bcm42rly.sys
2008-10-28 18:56 . 2005-02-01 17:18 17,992 --a------ c:\windows\system32\bcm42rly.sys
2008-10-28 18:56 . 2005-02-01 17:18 17,992 --a------ c:\windows\bcm42rly.sys
2008-10-28 18:56 . 2003-09-25 21:15 15,872 --a------ c:\windows\system32\GTNDIS5.sys
2008-10-28 18:56 . 2005-12-06 03:24 7,846 --a------ c:\windows\system32\rt73.cat
2008-10-28 18:56 . 2008-10-28 18:56 1,361 --a------ c:\windows\system32\WLAN.INI
2008-10-16 21:50 . 2008-11-16 11:57 <DIR> d-------- c:\program files\Common

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-11-16 16:52 130,172 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-16 16:52 129,375,264 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-15 14:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-08 18:45 --------- d-----w c:\program files\Common Files\Logitech
2008-11-08 18:42 --------- d-----w c:\program files\Logitech
2008-11-08 17:03 --------- d--ha-w c:\documents and settings\All Users\Application Data\GTek
2008-11-08 00:17 --------- d-----w c:\program files\GbPlugin
2008-11-07 22:48 182,641 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_11_07_17_43_01_small.dmp.zip
2008-11-07 22:44 1,878,016 ----a-w c:\windows\Internet Logs\xDB2F.tmp
2008-11-07 22:28 1,123,840 ----a-w c:\windows\Internet Logs\xDB2E.tmp
2008-11-07 18:44 3,405,312 ----a-w c:\windows\Internet Logs\xDB2D.tmp
2008-11-06 22:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-02 18:03 5,075,383 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-01 23:37 117,248 ----a-w c:\windows\Internet Logs\xDB2B.tmp
2008-11-01 23:37 1,726,464 ----a-w c:\windows\Internet Logs\xDB2C.tmp
2008-10-31 00:33 3,784,192 ----a-w c:\windows\Internet Logs\xDB2A.tmp
2008-10-09 19:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-03 17:41 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-10-02 22:19 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2008-10-02 22:19 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2008-10-02 22:19 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-10-02 22:19 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2008-10-02 22:19 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2008-10-02 22:19 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2008-10-02 22:19 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2008-10-02 22:19 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-02-27 22:47 779,536 ----a-w c:\program files\MoveMediaPlayer_07076007.exe
2006-04-15 00:41 156 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-24 185896]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 09:33 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-11 36903]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= "c:\program files\GbPlugin\gbiehabn.dll" [2008-08-05 369064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
2008-08-05 07:58 369064 c:\program files\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat cecnaa.dll lllfvw.dll yoazim.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"<NO NAME>"=

R2 Basics Service;Basics Service;c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 124280]
S3 ATIXPGAA;ATIXPGAA;c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [ ]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]

\Shell\AutoRun\command - J:\Launch.exe /run

\Shell\AutoRun\command - K:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder

2008-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
- - - - ORPHANS REMOVED - - - -

BHO-{166CC70F-747F-4769-81DD-793AF0B985FC} - (no file)
BHO-{60116BCC-8AEE-43C8-93EB-50BAB27A2D2A} - (no file)
BHO-{70BB41D0-CE74-498A-85E2-B4B43F6049CF} - (no file)
BHO-{8282D98F-CBD3-49D0-876F-BAF417636827} - (no file)
BHO-{912B8CBB-95CF-4512-9EF1-161306FA3C8F} - (no file)
BHO-{D99C82FF-B43A-4AB4-8DAC-DC8D9E42784F} - (no file)
HKLM-Run-PCDrProfiler - (no file)
ShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399003} - c:\program files\GbPlugin\gbiehCef.dll

------- Supplementary Scan -------
FireFox -: Profile - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\seb4bdxn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 12:00:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


"ImagePath"="c:\program files\GbPlugin\GbpSv.exe"
Completion time: 2008-11-16 12:04:27
ComboFix-quarantined-files.txt 2008-11-16 17:04:24

Pre-Run: 154,258,026,496 bytes free
Post-Run: 154,800,111,616 bytes free

200 --- E O F --- 2008-10-29 01:40:12


Malwarebytes' Anti-Malware 1.30
Database version: 1373
Windows 5.1.2600 Service Pack 3

11/16/2008 1:07:56 PM
mbam-log-2008-11-16 (13-07-56).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 230213
Time elapsed: 59 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:30 PM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file)
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: SCRABBLE Complete Registration.lnk = C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\{37827547-3925-4053-8163-D0158F9A192E}\{B36649A3-D0DD-4706-B042-F5B384529C7A}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.gmail.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bellsouth.net/sdccommo ... gctlsr.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5583136265
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/p ... ginABN.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat cecnaa.dll lllfvw.dll yoazim.dll
O20 - Winlogon Notify: GbPluginAbn - C:\Program Files\GbPlugin\gbiehabn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

End of file - 10268 bytes
Active Member
Posts: 5
Joined: November 7th, 2008, 7:49 pm
Register to Remove

Re: TROJAN.VUNDO...can't get rid of it! HELP!

Unread postby John B. » November 20th, 2008, 10:15 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:
  • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • Please reply to this thread. Do not start a new topic.
  • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open The Misc Tool Section button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Also post a fresh HijackThis log and tell me if you are still having trouble with Vundo.

User avatar
John B.
MRU Master Emeritus
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: TROJAN.VUNDO...can't get rid of it! HELP!

Unread postby pcg » November 21st, 2008, 2:26 pm

Hi John: I got tired of dealing with it, so I just restored the whole thing....and was able to get my data out before it got infected. I do appreciate your willingness to help though. Just wanted to let you know.

Thanks again,
Active Member
Posts: 5
Joined: November 7th, 2008, 7:49 pm

Re: TROJAN.VUNDO...can't get rid of it! HELP!

Unread postby John B. » November 21st, 2008, 5:20 pm


Now that you are clean, I got some tips & tricks for you to keep your computer clean and secure.

It may seem like your system will be too much protected with all these things installed, but a lot of programs aren't running always on the background so don't slow down your computer. Please take a look at the following things:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are some Anti Virus products which are free for personal use and most used:
    Avira AntiVir

    Here are some really good paid programs which you can buy online or in a shop nearby:
    ESET NOD32
    Kaspersky Anti-Virus or Kaspersky Internet Security with Firewall included

  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - Using a Firewall on your computer can be very important. Without a firewall your computer is susceptible to being hacked and taken over. There are some different situations you can be in where a third-party firewall may or may not be a good addition to your system:
    • If you are not using Windows XP or Vista, but an older version I recommend you to use a firewall.
    • If you are using Windows XP or Vista, but are on dial-up I recommend you to use a firewall.
    • If you are using Windows XP or Vista and are using broadband, but are not experienced in using firewalls and getting the choice to allow or disallow things I recommend you to use Windows Firewall.
    • If you are using Windows XP or Vista, are using broadband and experienced, I recommend you to disable Windows Firewall (as it is not perfect) and get a third-party firewall.

    Here are some firewalls which are free for personal use and most used:
    Kerio Personal Firewall (Free version after 30 days)
    Online Armor Free

    Or you could buy their paid version online or in a shop nearby:
    Kerio Personal Firewall (Continue paid version after 30 days)
    Online Armor

  • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Tutorail for Spybot S & D

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can download it here:

  • Install WinPatrol - As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website:
    The developer is a well-known man in the MalWare Removal business. If you really like WinPatrol think about upgrading to the PLUS version. It will give you additional features and you will only have to pay once, for your whole malware-free life.

  • Install MVPS HOSTS - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    For information on how to download and install, please read this tutorial here:
    Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

  • Use an alternative Internet Browser - Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox << Most used, I use this one myself.

  • Bookmark general cleanup link - It could be that your computer is becoming slower and slower. This is not always the cause of malware. Most of the times it's malware when you're computer is suddenly getting slow or doing strange. When the slowdown increases slowly, check (so now bookmark) this link for tips & tricks:
    What to do if your Computer's running slowly

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

User avatar
John B.
MRU Master Emeritus
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: TROJAN.VUNDO...can't get rid of it! HELP!

Unread postby NonSuch » November 21st, 2008, 7:43 pm

As this issue appears to be resolved, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
Posts: 27257
Joined: February 23rd, 2005, 7:08 am
Location: California
Register to Remove

  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware