Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Vundo Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Vundo Infection

Unread postby Katsklau » December 21st, 2008, 8:49 pm

My PC was infected with a virus about 4 days ago. It started with a pesky pop-up saying computer wasn't safe and to click on it yadayada. Then the blue screen of death appeared. Upon re-boot a window popped up with a viewmanager error. I was able to get online but I was inundated with antispyware pop-ups and I was unable to access certain sites (using firefox). I was however able to download Vundofix, and a McAfee stinger neither of which found anything (IN SAFE MODE). I did a McAfee scan and it found a trojan but I was unable to remove it. The security center is blocked from updating and I can't get any microsoft updates.

I researched ways to manually remove Vundo as I assumed this is what the pesky bug must be.
1. I accessed the task manager and found 3 processes running - MWSOEMON.EXE, M3SRCHMN.EXE, and PWRISOVM.exe under user and I ended them and their trees.
2. I accessed the registry editor, which at first was disabled, I hit start, and Run and typed the command to enable it - REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f and ran command REGEDIT.
In the registry editor I looked up and deleted all files with the words, VUNDO, MS JUAN, JUAN, and that had VSBB or VZBB in the binary value data.Deleting the files in the registry did allow me to run a McAfee scan and remove the quarantined Trojan and 6 other quarantine files it found.
3. The only thing I did not do was delete any .dll files because I don't know what to delete.

Anyway, needless to say all of this was for naught as it stopped the pop-ups but upon reboot all of the files reappeared in the registry and all the problems came back like a pesky flu.

I finally downloaded HJT and the following is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:26 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
I:\Program Files\McAfee.com\Agent\mcagent.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\Program Files\RapidSolution\Tunebite\Tunebite.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Program Files\DNA\btdna.exe
I:\WINDOWS\system32\prunnet.exe
I:\Program Files\Windows Media Player\WMPNSCFG.exe
I:\WINDOWS\ehome\RMSysTry.exe
I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
I:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
i:\program files\common files\mcafee\mna\mcnasvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\ehome\RMSvc.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\dllhost.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
I:\Program Files\McAfee\MPF\MPFSrv.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - I:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - I:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - I:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "I:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 I:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] I:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "I:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [PWRISOVM.EXE] I:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Google Desktop Search] "I:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prunnet] "I:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "I:\WINDOWS\system32\yuuqrgnh.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Tunebite] I:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] I:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "I:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [prunnet] "I:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [jsf8j34rgfght] I:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] I:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [AdwareAlert] I:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [WMPNSCFG] I:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Extender Resource Monitor.lnk = I:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - i:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZJfox000
O8 - Extra context menu item: &Windows Live Search - res://I:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///I:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0206129562
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///I:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: I:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL jlbkng.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - I:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Apple Mobile Device - Apple Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - I:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - I:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - I:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11773 bytes


What now? Any help will be repaid in warm wishes.
Thanx,
Kats
Katsklau
Active Member
 
Posts: 5
Joined: December 21st, 2008, 7:41 pm
Advertisement
Register to Remove

Re: Vundo Infection

Unread postby Bv202 » December 22nd, 2008, 12:37 pm

Welcome to Malware Removal!
My name is Bjorn, known as Bv202 on this forum and I'll be happy to assist you with all your malware problems you have on your computer.

Before we start fixing your computer, there are a few points you need to know:
  • Please don't start a new topic, but reply on this one.
  • If you don't understand something, please ask!
  • If you find any new problems and/or details, please post them!
  • As I'm still in training here at Malware Removal, all my posts needs to be checked by an expert first.

Remember: absence of symptoms does not mean your computer is clean!!
Please reply to this topic until I say your computer is clean.

I'm now researching your log. Once it's done, I'll be back to you.

In the meantime, please do this:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

I understand these infections can be really frustrating, but please don't mess with the registry yourself. You can mess up your whole computer if you do something wrong.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Vundo Infection

Unread postby Katsklau » December 22nd, 2008, 4:52 pm

Thank you for your prompt response. Okay, I ran HJT in regular mode and safe mode. I was able to get into the tools and the uninstall manager. I hit save list and when in regular mode nothing happened, in other words not prompt to save the file to notepad and in safe mode when I hit save list the entire program just shut down.

I am able to view the list but I can't save it. I checked in the program files, trend micro folder to see if it saved it without my knowledge and nothing. What now? I can write it all down manually.

Kats
Katsklau
Active Member
 
Posts: 5
Joined: December 21st, 2008, 7:41 pm

Re: Vundo Infection

Unread postby Bv202 » December 24th, 2008, 7:01 am

Hi

No need to write it down manually; that will only take a long time. This is a common problem, you can skip the step and continue with these instructions :)

REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent DNA

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

Post back a new HijackThis, so we can continue cleaning your pc.

Merry Christmas :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Vundo Infection

Unread postby Katsklau » December 24th, 2008, 5:04 pm

Okay I removed Bit Torrent. Here is the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:45 PM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
I:\Program Files\McAfee.com\Agent\mcagent.exe
I:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
I:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
I:\Program Files\PowerISO\PWRISOVM.EXE
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\Program Files\RapidSolution\Tunebite\Tunebite.exe
I:\Program Files\Messenger\msmsgs.exe
I:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
I:\Program Files\Windows Media Player\WMPNSCFG.exe
I:\WINDOWS\ehome\RMSysTry.exe
I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
I:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
i:\program files\common files\mcafee\mna\mcnasvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\HPZipm12.exe
I:\WINDOWS\ehome\RMSvc.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\dllhost.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
I:\Program Files\McAfee\MPF\MPFSrv.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - I:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1578DEF3-E374-4215-852C-5F8329BB5382} - I:\WINDOWS\system32\rqRHBQih.dll
O2 - BHO: (no name) - {54125f14-9193-4fd1-965e-7353d1ed29eb} - I:\WINDOWS\system32\polekove.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - I:\WINDOWS\system32\vtUoMCUK.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - I:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: I:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - I:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - I:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - I:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "I:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 I:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] I:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "I:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [PWRISOVM.EXE] I:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Google Desktop Search] "I:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prunnet] "I:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [bipoyopeja] Rundll32.exe "I:\WINDOWS\system32\kelinepe.dll",s
O4 - HKLM\..\Run: [000000af] rundll32.exe "I:\WINDOWS\system32\ponimero.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Tunebite] I:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] I:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [prunnet] "I:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [jsf8j34rgfght] I:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] I:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [AdwareAlert] I:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [WMPNSCFG] I:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [bipoyopeja] Rundll32.exe "I:\WINDOWS\system32\kelinepe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bipoyopeja] Rundll32.exe "I:\WINDOWS\system32\kelinepe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Extender Resource Monitor.lnk = I:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - i:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZJfox000
O8 - Extra context menu item: &Windows Live Search - res://I:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///I:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0206129562
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///I:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: I:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL jlbkng.dll,I:\WINDOWS\system32\pimehori.dll
O20 - Winlogon Notify: vtUoMCUK - I:\WINDOWS\SYSTEM32\vtUoMCUK.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - I:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Apple Mobile Device - Apple Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - I:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - I:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - I:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12936 bytes
Katsklau
Active Member
 
Posts: 5
Joined: December 21st, 2008, 7:41 pm

Re: Vundo Infection

Unread postby Bv202 » December 25th, 2008, 6:58 am

Hi Katsklau

Disable Mcafee Antivirus
Before starting with combofix, you need to disable Mcafee. Follow these instructions to do that:
Please navigate to the system tray on the bottom right hand corner and look for a Image sign.
  • Right-click it -> chose "Exit."
  • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You successfully disabled the McAfee Guard.

Download and run Combofix
Please visit this webpage for download links, and instructions for running the tool:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
* IMPORTANT !!! Save ComboFix.exe to your Desktop

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Make sure Mcafee is disabled before running Combofix. If you have any more anti-malware programs with real-time protection, disable them too!
Please include the C:\ComboFix.txt in your next reply for further review.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Vundo Infection

Unread postby Katsklau » December 25th, 2008, 2:40 pm

Combofix seems to have done the trick. Everything is running smoothly.

But here is what I went through for future reference:
I had to download combofix and the recovery console ISO onto a jumpdrive on my other PC and then copy it to my desktop because the virus did not let me access the bleepingcomputer site and the microsoft site for the recover console ISO (or this site either). Then I dragged the files over to my desktop. I followed the directions to drag the recovery console over and drop it on the combofix.exe icon and then run it - but nothing happened! I checked in the task manager and it showed that is was running combofix.exe under SYSTEM, but no windows appeared to start or run the program. So, I read up on some other posts that the virus actually DISABLES malware removal programs so you have to rename it before you save it. I renamed it on my desktop but it still didn't work and said the CF script was named wrong. So I deleted the combofix.exe file from my desktop completely and end tasked it on the task manager as well. I THEN RENAMED THE FILE ON MY JUMP DRIVE TO Dweebs.exe before copying it to my desktop. Then I dragged over the renamed file "dweebs.exe" onto my desktop and dragged the recovery console ISO over it and it worked. I was able to run it with no problem.

(BTW: During the last reboot, before it prepared the log I received this error message:
Error loading - I:\PROGRA~I/MYWEBS~\bar\2.bin\m3plugin.dll
The specified module could not be found.)

Here is my combofix log:

ComboFix 08-12-24.01 - user 2008-12-25 13:07:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1616 [GMT -5:00]
Running from: i:\documents and settings\user\Desktop\dweebles.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\documents and settings\user\Application Data\FunWebProducts
i:\documents and settings\user\Application Data\FunWebProducts\Data\user\avatar.dat
i:\documents and settings\user\Application Data\FunWebProducts\Data\user\outfit.dat
i:\documents and settings\user\Application Data\FunWebProducts\Data\user\zbucks.dat
i:\program files\FunWebProducts
i:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
i:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
i:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
i:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
i:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
i:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
i:\program files\Internet Explorer\msimg32.dll
i:\program files\MyWebSearch
i:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
i:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
i:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
i:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
i:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
i:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
i:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
i:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
i:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
i:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
i:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
i:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
i:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
i:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
i:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
i:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
i:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
i:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
i:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
i:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
i:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
i:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
i:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
i:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
i:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
i:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
i:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
i:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
i:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
i:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
i:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
i:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
i:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
i:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
i:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
i:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
i:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
i:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
i:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
i:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
i:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
i:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
i:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
i:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
i:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
i:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
i:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
i:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
i:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
i:\program files\MyWebSearch\bar\Cache\000416FF
i:\program files\MyWebSearch\bar\Cache\0004B33F
i:\program files\MyWebSearch\bar\Cache\0005EA67
i:\program files\MyWebSearch\bar\Cache\0006933A
i:\program files\MyWebSearch\bar\Cache\001ABB14
i:\program files\MyWebSearch\bar\Cache\00306392
i:\program files\MyWebSearch\bar\Cache\0059F8C6.bin
i:\program files\MyWebSearch\bar\Cache\0059FA1E.bin
i:\program files\MyWebSearch\bar\Cache\0059FB18.bin
i:\program files\MyWebSearch\bar\Cache\0059FBC4.bin
i:\program files\MyWebSearch\bar\Cache\0059FCAE
i:\program files\MyWebSearch\bar\Cache\00831A9F.bin
i:\program files\MyWebSearch\bar\Cache\00831B1C.bin
i:\program files\MyWebSearch\bar\Cache\00831C83.bin
i:\program files\MyWebSearch\bar\Cache\00831D4E.bin
i:\program files\MyWebSearch\bar\Cache\00831DFA.bin
i:\program files\MyWebSearch\bar\Cache\008E94FA.bin
i:\program files\MyWebSearch\bar\Cache\008E95D4.bin
i:\program files\MyWebSearch\bar\Cache\008E9651.bin
i:\program files\MyWebSearch\bar\Cache\00B3E623
i:\program files\MyWebSearch\bar\Cache\0133485E
i:\program files\MyWebSearch\bar\Cache\files.ini
i:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
i:\program files\MyWebSearch\bar\Game\CHESS.F3S
i:\program files\MyWebSearch\bar\Game\REVERSI.F3S
i:\program files\MyWebSearch\bar\History\search3
i:\program files\MyWebSearch\bar\icons\CM.ICO
i:\program files\MyWebSearch\bar\icons\MFC.ICO
i:\program files\MyWebSearch\bar\icons\PSS.ICO
i:\program files\MyWebSearch\bar\icons\SMILEY.ICO
i:\program files\MyWebSearch\bar\icons\WB.ICO
i:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
i:\program files\MyWebSearch\bar\Message\COMMON.F3S
i:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
i:\program files\MyWebSearch\bar\Notifier\DOG.F3S
i:\program files\MyWebSearch\bar\Notifier\FISH.F3S
i:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
i:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
i:\program files\MyWebSearch\bar\Notifier\MAID.F3S
i:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
i:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
i:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
i:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
i:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
i:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
i:\program files\MyWebSearch\bar\Settings\s_pid.dat
i:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
i:\program files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
i:\windows\a3kebook.ini
i:\windows\akebook.ini
i:\windows\ANS2000.INI
i:\windows\jestertb.dll
i:\windows\system32\~.exe
i:\windows\system32\drivers\TDSSmqct.sys
i:\windows\system32\f3PSSavr.scr
i:\windows\system32\hiQBHRqr.ini
i:\windows\system32\hiQBHRqr.ini2
i:\windows\system32\hngrquuy.ini
i:\windows\system32\irezasos.ini
i:\windows\system32\jlbkng.dll
i:\windows\system32\jwgjjpkm.dll
i:\windows\system32\ljJabaAt.dll
i:\windows\system32\mcrh.tmp
i:\windows\system32\opnolICT.dll
i:\windows\system32\oreminop.ini
i:\windows\system32\prunnet.exe
i:\windows\system32\rqRHBQih.dll
i:\windows\system32\saguyeba.dll
i:\windows\system32\TDSSarxx.dll
i:\windows\system32\TDSScfmm.dll
i:\windows\system32\TDSSkkai.log
i:\windows\system32\TDSSlicn.dll
i:\windows\system32\TDSSmtye.dat
i:\windows\system32\TDSSnmxh.log
i:\windows\system32\TDSSotuh.dll
i:\windows\system32\TDSSsahc.dll
i:\windows\system32\TDSSvoql.dll
i:\windows\system32\TDSSxhyf.log
i:\windows\system32\tyshb36rfjdf.dll
i:\windows\system32\usayojis.ini
i:\windows\system32\vtUoMCUK.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2008-12-24 23:11 . 2008-04-13 20:12 159,232 --a------ i:\windows\system32\ptpusd.dll
2008-12-24 23:11 . 2001-08-17 22:36 5,632 --a------ i:\windows\system32\ptpusb.dll
2008-12-19 22:23 . 2008-12-19 22:23 <DIR> d-------- i:\documents and settings\user\Application Data\AdwareAlert
2008-12-19 22:09 . 2008-12-19 22:09 <DIR> d-------- i:\program files\Uniblue
2008-12-19 22:09 . 2008-12-19 22:09 <DIR> d-------- i:\documents and settings\user\Application Data\Uniblue
2008-12-19 21:37 . 2008-12-19 21:37 <DIR> d-------- i:\program files\Trend Micro
2008-12-19 20:59 . 2008-12-19 21:05 1,661,900 --ahs---- i:\windows\system32\hngrquuy.tmp
2008-12-18 11:49 . 2008-12-18 11:49 <DIR> d-------- I:\VundoFix Backups
2008-12-17 21:12 . 2008-12-17 21:12 1 --a------ i:\windows\system32\edl.dat
2008-12-17 19:07 . 2008-12-17 19:07 <DIR> d-------- i:\documents and settings\Administrator
2008-12-14 11:19 . 2008-12-14 11:19 <DIR> d-------- i:\program files\iTunes
2008-12-14 11:19 . 2008-12-14 11:19 <DIR> d-------- i:\program files\iPod
2008-12-14 11:19 . 2008-12-14 11:19 <DIR> d-------- i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 11:18 . 2008-12-14 11:18 <DIR> d-------- i:\program files\QuickTime
2008-12-05 17:42 . 2008-12-09 17:04 <DIR> d-------- i:\documents and settings\user\Application Data\SPORE
2008-12-05 17:42 . 2008-12-05 17:42 <DIR> dr-h----- i:\documents and settings\user\Application Data\SecuROM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 18:01 --------- d-----w i:\documents and settings\user\Application Data\Tunebite
2008-12-25 17:48 85,269 --sha-w i:\windows\system32\sijoyasu.dll
2008-12-25 17:17 --------- d-----w i:\documents and settings\All Users\Application Data\Google Updater
2008-12-25 16:48 60,211 --sha-w i:\windows\system32\yupohote.dll
2008-12-24 17:06 84,102 ----a-w i:\windows\system32\ponimero.dll
2008-12-18 04:15 --------- d-----w i:\program files\Coupons
2008-12-18 04:14 --------- d-----w i:\program files\MSN Messenger
2008-12-18 04:13 --------- d-----w i:\program files\Yahoo!
2008-12-18 04:13 --------- d-----w i:\documents and settings\user\Application Data\Yahoo!
2008-12-18 04:13 --------- d-----w i:\documents and settings\All Users\Application Data\Yahoo!
2008-12-14 16:48 --------- d-----w i:\documents and settings\user\Application Data\Apple Computer
2008-12-14 16:19 --------- d-----w i:\program files\Common Files\Apple
2008-12-14 16:14 --------- d-----w i:\program files\Safari
2008-12-05 22:42 107,888 ----a-w i:\windows\system32\CmdLineExt.dll
2008-12-05 22:41 1,522 ----a-w i:\windows\system32\ealregsnapshot1.reg
2008-12-05 22:11 --------- d-----w i:\program files\Electronic Arts
2008-12-05 22:10 --------- d--h--w i:\program files\InstallShield Installation Information
2008-11-26 13:07 --------- d-----w i:\program files\DivX
2008-11-25 02:38 --------- d-----w i:\program files\Microsoft ActiveSync
2008-11-25 02:34 --------- d-----w i:\program files\Windows Media Components
2008-11-25 01:39 --------- d-----w i:\documents and settings\user\Application Data\DVD Catalyst3
2008-11-24 23:07 --------- d-----w i:\program files\DVD Catalyst
2008-11-21 13:57 --------- d-----w i:\documents and settings\LocalService\Application Data\SACore
2008-11-18 03:10 --------- d-----w i:\documents and settings\All Users\Application Data\McAfee
2008-11-18 01:27 --------- d---a-w i:\documents and settings\All Users\Application Data\TEMP
2008-11-18 01:26 --------- d-----w i:\program files\SCRABBLE
2008-11-18 01:26 --------- d-----w i:\documents and settings\user\Application Data\SpinTop
2008-11-14 02:23 --------- d-----w i:\program files\McAfee
2008-11-11 21:54 --------- d-----w i:\program files\House Beautiful
2008-11-08 19:29 --------- d-----w i:\documents and settings\user\Application Data\HP
2008-11-07 23:51 --------- d-----w i:\documents and settings\All Users\Application Data\HP Product Assistant
2008-11-07 19:23 32,000 ----a-w i:\windows\system32\drivers\usbaapl.sys
2008-10-23 12:36 286,720 ----a-w i:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w i:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w i:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w i:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w i:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w i:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w i:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w i:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w i:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w i:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w i:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w i:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w i:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w i:\windows\system32\msxml4.dll
2008-09-25 16:48 60,211 --sha-w i:\windows\system32\waluyelo.dll
2008-09-25 16:48 60,211 --sha-w i:\windows\system32\gomuzidi.dll
2008-09-25 16:48 33,792 --sha-w i:\windows\system32\guromome.dll
2008-07-05 15:47 0 -c--a-w i:\program files\temp01
2007-02-12 23:10 2,682,880 -c--a-w i:\documents and settings\All Users\VCREDI~3.EXE
2008-10-22 23:22 122,880 ----a-w i:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"= "i:\program files\AOL\AIM Toolbar 5.0\aoltb.dll" [2008-03-07 1090912]

[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54125f14-9193-4fd1-965e-7353d1ed29eb}]
2008-09-25 11:48 60211 --ahs---- i:\windows\system32\waluyelo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="i:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Tunebite"="i:\program files\RapidSolution\Tunebite\Tunebite.exe" [2008-04-24 6366512]
"MSMSGS"="i:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"WMPNSCFG"="i:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"HP Software Update"="i:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"mcagent_exe"="i:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PWRISOVM.EXE"="i:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"AppleSyncNotifier"="i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Google Desktop Search"="i:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-22 29744]
"QuickTime Task"="i:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"bipoyopeja"="i:\windows\system32\gomuzidi.dll" [2008-09-25 60211]
"000000af"="i:\windows\system32\sijoyasu.dll" [2008-12-25 85269]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - i:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
HP Digital Imaging Monitor.lnk - i:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli i:\windows\system32\saguyeba.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 i:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 i:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 i:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 i:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 00:41 8523776 i:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-12-05 00:41 81920 i:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 03:00 132496 i:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2007-12-05 00:41 1626112 i:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-12-14 20:06 577536 i:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"i:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\program files\Microsoft ActiveSync\rapimgr.exe"= i:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"i:\program files\Microsoft ActiveSync\wcescomm.exe"= i:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"i:\program files\Microsoft ActiveSync\WCESMgr.exe"= i:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"i:\\Program Files\\Messenger\\msmsgs.exe"=
"i:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"i:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-03 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"i:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-11 24652]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"i:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-22 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
i:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 i:\windows\Tasks\AdwareAlert Scheduled Scan.job
- i:\program files\AdwareAlert\AdwareAlert.exe []

2008-12-20 i:\windows\Tasks\AdwareAlert Scheduled Scan.job
- i:\program files\AdwareAlert []

2008-12-15 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-10-15 i:\windows\Tasks\McDefragTask.job
- i:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-09-01 i:\windows\Tasks\McQcTask.job
- i:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4ADB39BE-39E0-41C1-8AB6-0B098B3E0E8E} - i:\windows\system32\rqRHBQih.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - i:\windows\system32\vtUoMCUK.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - i:\windows\system32\tyshb36rfjdf.dll
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - i:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
WebBrowser-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - i:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
HKCU-Run-MsnMsgr - i:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-prunnet - i:\windows\system32\prunnet.exe
HKCU-Run-AdwareAlert - i:\program files\AdwareAlert\AdwareAlert.exe
HKLM-Run-MyWebSearch Plugin - i:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - i:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
HKLM-Run-prunnet - i:\windows\system32\prunnet.exe
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - i:\windows\system32\tyshb36rfjdf.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - i:\windows\system32\vtUoMCUK.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - i:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZJfox000
IE: &Windows Live Search - i:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - i:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

i:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///I:/Program%20Files/SCRABBLE/Images/stg_drm.ocx

i:\windows\Downloaded Program Files\CpnMgr.dll - O16 -: {549F957E-2F89-11D6-8CFE-00C04F52B225}
hxxp://coupons.smartsource.com/download/cscmv5X.cab
i:\windows\Downloaded Program Files\CpnMgr.inf

i:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///I:/Program%20Files/SCRABBLE/Images/armhelper.ocx
FF - ProfilePath - i:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\k6ohz4co.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/red ... 706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?inv ... rab&query=
FF - component: i:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: i:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: i:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\k6ohz4co.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: i:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: i:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: i:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: i:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: i:\program files\Picasa2\npPicasa2.dll
FF - plugin: i:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 13:11:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


i:\windows\system32\usayojis.ini 1603449 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
i:\program files\Bonjour\mDNSResponder.exe
i:\windows\ehome\ehrecvr.exe
i:\windows\ehome\ehSched.exe
i:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
i:\progra~1\McAfee\MSC\mcmscsvc.exe
i:\program files\Common Files\McAfee\MNA\McNASvc.exe
i:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
i:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
i:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
i:\windows\system32\nvsvc32.exe
i:\windows\system32\HPZipm12.exe
i:\windows\ehome\RMSvc.exe
i:\windows\system32\rundll32.exe
i:\progra~1\MI3AA1~1\rapimgr.exe
i:\windows\ehome\McrdSvc.exe
i:\program files\Windows Media Player\wmpnetwk.exe
i:\program files\HP\Digital Imaging\bin\hpqste08.exe
i:\windows\system32\dllhost.exe
i:\program files\iPod\bin\iPodService.exe
i:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2008-12-25 13:18:46 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-12-25 18:18:43

Pre-Run: 197,526,634,496 bytes free
Post-Run: 197,708,759,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

470 --- E O F --- 2008-12-10 04:19:19

What next?
Thanx and Happy Holidays!
Kats
Katsklau
Active Member
 
Posts: 5
Joined: December 21st, 2008, 7:41 pm

Re: Vundo Infection

Unread postby Bv202 » December 25th, 2008, 4:17 pm

Hi Katsklau,
Merry Christmas :)

Thank you for the information about Combofix - you indeed had an infection which was preventing you to download and run Combofix.

I'm very sorry to tell this, but there is something bad you need to be aware of:

Dangerous infection
Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Vundo Infection

Unread postby Katsklau » December 25th, 2008, 11:07 pm

WOW!! OMG!! A backdoor?!! This sucks. Before I read your post I was able to turn the firewall back on and get all the updates from McAfee and Microsoft. Also, I installed Ccleaner and Spybot. They did their thing and found a bunch of junk and removed it. There was also a Rundll file called gomuzidi.dll that kept running at Startup which I disabled through the System Configuration Utility in Safe Mode. But, I had no idea there was a backdoor. If we can salvage this system I would like to try. I am posting a new HJT log. Please tell me what else we can do before reinstalling the OS all over again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:19 PM, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
I:\Program Files\McAfee.com\Agent\mcagent.exe
I:\Program Files\PowerISO\PWRISOVM.EXE
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Program Files\Windows Media Player\WMPNSCFG.exe
I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
I:\WINDOWS\ehome\RMSysTry.exe
I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
I:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
i:\program files\common files\mcafee\mna\mcnasvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\HPZipm12.exe
I:\WINDOWS\ehome\RMSvc.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Viewpoint\Common\ViewpointService.exe
I:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\dllhost.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
I:\Program Files\McAfee\MPF\MPFSrv.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54125f14-9193-4fd1-965e-7353d1ed29eb} - I:\WINDOWS\system32\waluyelo.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "I:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] I:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Google Desktop Search] "I:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [bipoyopeja] Rundll32.exe "I:\WINDOWS\system32\gomuzidi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] I:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Extender Resource Monitor.lnk = I:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - i:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - I:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///I:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0206129562
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///I:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: I:\WINDOWS\system32\saguyeba.dll
O23 - Service: Apple Mobile Device - Apple Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - I:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - I:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10505 bytes

Kats
Katsklau
Active Member
 
Posts: 5
Joined: December 21st, 2008, 7:41 pm

Re: Vundo Infection

Unread postby Bv202 » December 26th, 2008, 6:30 am

Hi again :)

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    i:\windows\system32\hngrquuy.tmp
    i:\windows\system32\edl.dat
    i:\windows\system32\sijoyasu.dll
    i:\windows\system32\yupohote.dll
    i:\windows\system32\ponimero.dll
    i:\windows\system32\waluyelo.dll
    i:\windows\system32\gomuzidi.dll
    i:\windows\system32\guromome.dll
    i:\windows\Tasks\AdwareAlert Scheduled Scan.job
    
    Folder::
    i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    i:\program files\AdwareAlert
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54125f14-9193-4fd1-965e-7353d1ed29eb}]
    [-HKEY_CLASSES_ROOT\CLSID\{54125f14-9193-4fd1-965e-7353d1ed29eb}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "bipoyopeja"=-
    "000000af"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=-
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please post back the Combofix log + a new HijackThis log :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Vundo Infection

Unread postby Bv202 » December 29th, 2008, 6:36 am

Hi

It's been 3 days since my last post. Do you still require help? If not, please tell us so we can close this thread.

If you do not reply within 2 days, this thread will get closed.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Vundo Infection

Unread postby Shaba » December 31st, 2008, 5:27 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware