Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problem with Vundo.H and possibly more.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 2nd, 2009, 8:01 pm

Hello Fletch101

Yes that worked!!!!

There were some infections that showed up when we ran the Kaspersky scan the other day and a few things that MBAM has found (that I have not fixed - scan only) that I am anxious to get rid of.

C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\beep.sys.bac_a03612 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\karna.dat.bac_a03612 Infected: Backdoor.Win32.Small.gjm 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\svchost.exe.bac_a03612 Infected: Trojan.Win32.Agent.akdq 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip Infected: Exploit.Java.Gimsh.b 1


The first three things were in the Quarantine folder and is safe there
the last two things we cleaned up in this >poste<

the stuff in the MBAM log was cleaned at the time of the scan. But we will do these scans again to make sure all is clean now

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


b]:Kaspersky scan:[/b]

    Please go to Kaspersky website and perform an online antivirus scan.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.

:information and logs:

    In your next post I need the following

      1.log from MBAM
      2.log from Kaspersky
      3.one last Hijackthis log

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Advertisement
Register to Remove

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 3rd, 2009, 12:07 pm

MBAM Log:
Malwarebytes' Anti-Malware 1.36
Database version: 2069
Windows 5.1.2600 Service Pack 2

5/2/2009 11:15:37 PM
mbam-log-2009-05-02 (23-15-37).txt

Scan type: Quick Scan
Objects scanned: 74702
Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky Log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 03, 2009 06:54:29
Records in database: 2122830
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 141003
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:26:11


File name / Threat name / Threats count
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\beep.sys.bac_a03612 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\karna.dat.bac_a03612 Infected: Backdoor.Win32.Small.gjm 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\svchost.exe.bac_a03612 Infected: Trojan.Win32.Agent.akdq 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip Infected: Exploit.Java.Gimsh.b 1

The selected area was scanned.

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04 AM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5236 bytes
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 3rd, 2009, 7:15 pm

Hello Fletch101

That is being stubbern so lets try this

color=blue]:Run CFScript:[/color]

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

the rest of the logs are clean so if this works we will be done and I can give my all clean speach

let me have the combofix log please

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 3rd, 2009, 8:43 pm

ComboFix 09-05-02.4 - Jeff 05/03/2009 19:36.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.661 [GMT -5:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)

FILE ::
c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip
c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip
c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-02 22:40 . 2009-05-02 22:42 -------- d-----w c:\program files\GCFScape
2009-04-30 02:06 . 2009-04-30 02:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 04:40 . 2009-04-29 04:43 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\program files\Avira
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 05:26 . 2009-04-27 05:26 -------- d-----w c:\program files\Trend Micro
2009-04-27 05:21 . 2008-10-22 01:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-27 04:51 . 2009-04-27 04:51 -------- d-----w C:\VundoFix Backups
2009-04-04 20:34 . 2009-04-04 20:34 -------- d-----w c:\documents and settings\Jeff\Local Settings\Application Data\Intuit
2009-04-04 20:33 . 2009-04-04 20:33 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 00:36 . 2006-10-31 03:16 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 20:06 . 2006-10-31 03:13 295424 ----a-w c:\windows\system32\termsrv.dll
2009-04-30 04:32 . 2007-07-04 16:29 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-30 02:09 . 2006-10-31 05:44 -------- d-----w c:\program files\Java
2009-04-28 02:18 . 2007-12-01 02:00 -------- d-----w c:\program files\Steam
2009-04-28 01:50 . 2009-04-28 01:50 0 ----a-w c:\documents and settings\Jeff\ntuser.tmp
2009-04-27 02:44 . 2008-10-22 05:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2008-10-22 05:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-22 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:33 . 2006-10-31 04:53 72880 ----a-w c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 20:31 . 2007-04-14 16:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-04 20:29 . 2007-04-14 16:33 -------- d-----w c:\program files\TurboTax
2009-03-19 03:35 . 2008-07-03 03:42 -------- d-----w c:\program files\ICQ6
2009-03-17 17:09 . 2009-03-17 17:09 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-09 01:01 . 2007-05-18 03:33 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 01:01 . 2007-05-18 03:33 201352 ----a-w c:\windows\system32\PnkBstrB.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-05-01_21.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 04:17 . 2009-05-03 04:17 16384 c:\windows\temp\Perflib_Perfdata_70.dat
+ 2006-10-31 03:13 . 2009-05-02 20:06 295424 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave7"= Echo3GWrap.dll
"Midi1"= usbmn4x4.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Unreal Anthology\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzfs.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"41952:TCP"= 41952:TCP:TVersity 01
"41952:UDP"= 41952:UDP:TVersity 02
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 FGXSCSI;FGXSCSI; [x]
R3 USB44LDR;M-Audio USB MIDISPORT 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2007-11-14 23080]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
S3 echo3g;Echo3G Service;c:\windows\system32\drivers\echo3g.sys [2006-08-17 221696]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2008-01-06 22304]

.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dtklt8bm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-04 19:39
ComboFix-quarantined-files.txt 2009-05-04 00:39
ComboFix2.txt 2009-05-02 22:15
ComboFix3.txt 2009-05-02 20:14
ComboFix4.txt 2009-05-01 21:43
ComboFix5.txt 2009-05-04 00:34

Pre-Run: 12,761,071,616 bytes free
Post-Run: 12,884,905,984 bytes free

150 --- E O F --- 2008-07-09 08:00
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 3rd, 2009, 10:38 pm

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

:Time for some housekeeping:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Image

:remove tools:
    Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.


    Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
    • Double-click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.
    Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:Make your Internet Explorer more secure:


:Turn On Automatic Updates:

    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:
    you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also

    I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

    • Malwarebytes' Anti-Malware- Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee.
    • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.


Consider a custom hosts file

This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Download HostsXpert and unzip it to your computer, somewhere where you can find it.

  • Double click on HostsXpert.exe to launch the programme.
  • Check to see if top button on left hand side says Make Writable ?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only ? to secure it against infection.
  • Exit the programme.

If you use the host file you should disable the DNS Client

In XP
    DnsDisabled.bat (resets the DNS Client to Disabled) [right-click and select: Save Target As]
    To use: double-click on the downloaded file and reboot that's it ...

please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 4th, 2009, 1:12 am

Gringo,

Thanks for all your help. I sent a small donation to the site to show my appreciation. I am still reading through all the information in your last post and still have yet to install everything you recommended, but I'm working on it. I have two questions for you:

1. Can I remove the termsrv.dll from my desktop?
2. I was going to post on Malware Complaints, but I'm not sure exactly which malware(s) I had. Was it Vundo.H, something else, or both?

Fletch
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 4th, 2009, 6:03 am

hello Fletch101

Thanks for all your help. I sent a small donation to the site to show my appreciation. I am still reading through all the information in your last post and still have yet to install everything you recommended, but I'm working on it. I have two questions for you:
thank you very much

1. Can I remove the termsrv.dll from my desktop?
yes you can

.
I was going to post on Malware Complaints, but I'm not sure exactly which malware(s) I had. Was it Vundo.H, something else, or both?
vundo with W32.Tidserv

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 4th, 2009, 10:15 am

Great. Thanks.
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm

Re: Problem with Vundo.H and possibly more.

Unread postby NonSuch » May 5th, 2009, 7:41 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware