Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan.Vundo.H and maybe more

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trojan.Vundo.H and maybe more

Unread postby SLR » July 8th, 2010, 3:16 pm

Hello Cypher,

Jotti results:

Filename: uybxfivm.sys
Status: Scan finished. 0 out of 18 scanners reported malware.
Scan taken on: Thu 8 Jul 2010 21:07:25 (CET) Permalink

Virustotal result:

File uybxfivm.sys received on 2010.07.08 19:10:45 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)
Regular Member
Posts: 15
Joined: July 4th, 2010, 1:28 pm
Register to Remove

Re: Trojan.Vundo.H and maybe more

Unread postby Cypher » July 8th, 2010, 3:21 pm


Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of this log in you're next reply.
  • Note: This log can be big you may need post it in separate replies.
User avatar
Posts: 14936
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Trojan.Vundo.H and maybe more

Unread postby SLR » July 8th, 2010, 5:27 pm

Hi Cypher,

Here's the log you asked for:

RkU Version: 3.8.388.590, Type LE (SR2)
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
0xF67B5000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 3211264 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0xBF088000 C:\WINDOWS\System32\ati3duag.dll 2256896 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF65FB000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF6B11000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 913408 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF6553000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF729B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF2AF000 C:\WINDOWS\System32\ativvaxx.dll 483328 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xEE19E000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xEE13B000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 405504 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF6407000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEE333000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEC85B000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF6772000 C:\WINDOWS\system32\drivers\STAC97.sys 274432 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xEC107000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF64FB000 C:\WINDOWS\system32\DRIVERS\iwca.sys 249856 bytes (Intel Corporation, Intel Wireless Connection Agent)
0xBF04C000 C:\WINDOWS\System32\ati2cqag.dll 245760 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 237568 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xEE2F9000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xEE107000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xF66FA000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 200704 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xF73EC000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEC9DA000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF726E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEBB98000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE236000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEE283000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xEE20E000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 163840 bytes (Trusteer Ltd., RapportPG)
0xEE2D3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF674E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6AD9000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF672B000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEE261000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7366000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF739E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF73BD000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF6538000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 110592 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xF7254000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xECED0000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xECEB7000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7386000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF7328000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF64E4000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xECF11000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF733F000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xEC99D000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6AC5000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF6AFD000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEE38C000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7354000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF73DB000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF64D3000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF771B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF75FB000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF758B000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF6BF0000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF760B000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xECBAF000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF769B000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF759B000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF751B000 cufqe.sys 57344 bytes
0xF76DB000 C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys 57344 bytes (Trusteer Ltd., RapportKE)
0xF756B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF75DB000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF761B000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF754B000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF763B000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF6C00000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 45056 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xF76EB000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF75EB000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF753B000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF762B000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF6C20000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF752B000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF766B000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF765B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF755B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF6C10000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF764B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF76AB000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF75BB000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF757B000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xEE0F7000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF76CB000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF788B000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF78F3000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7883000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78DB000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF77A3000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7913000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF78FB000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF789B000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7893000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF78D3000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF787B000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF779B000 uybxfivm.sys 24576 bytes (Microsoft Corporation, NWLINK2 Traffic Filter Driver)
0xF78E3000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF78BB000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xF78EB000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF78C3000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xF77AB000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF78AB000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF78B3000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF78A3000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF790B000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xECE97000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF64BF000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xF7933000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF79D3000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF79F7000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xECE8F000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xED037000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF792B000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF792F000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF63EB000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF79DB000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 12288 bytes (GEAR Software Inc., CD DVD Filter)
0xF7207000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xECA17000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF79E3000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF71FF000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xECE93000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF7AA5000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
0xF7A47000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7AA7000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF7AD3000 C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys 8192 bytes
0xF7A45000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A1B000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A49000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A4B000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A3D000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7A3F000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A5F000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7A41000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A1D000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C5E000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7B56000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7B9B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7AE3000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7B6D000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7B6C000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
WARNING: Virus alike driver modification [uybxfivm.sys]
!-->[Hidden] C:\Documents and Settings\All Users\Application Data\avg9\Chjw\ca785a90785a7b61\47b83e51-96f9-48c2-b11e-5a8bbe8113fb
!-->[Hidden] C:\Documents and Settings\All Users\Application Data\avg9\Chjw\ca785a90785a7b61\e00be960-38a6-4a20-abf5-0405e64222d9
!-->[Hidden] C:\Documents and Settings\Tony\Application Data\Trusteer\Rapport\user\logs\koan.3968.2.log
!-->[Hidden] C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP472\A0204392.cfg
ntkrnlpa.exe+0x0006AA8A, Type: Inline - RelativeJump 0x80541A8A-->80541A91 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000D9FF5, Type: Inline - RelativeJump 0x805B0FF5-->871DAAD8 [unknown_code_page]
ntkrnlpa.exe-->ObOpenObjectByName, Type: Inline - RelativeJump 0x805B0FFA-->805B0FF9 [ntkrnlpa.exe]
[1692]ZCfgSvc.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1692]ZCfgSvc.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1692]ZCfgSvc.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0043F164-->00000000 [shimeng.dll]
[1692]ZCfgSvc.exe-->shell32.dll-->advapi32.dll-->ControlService, Type: IAT modification 0x7C9C1060-->00000000 [acgenral.dll]
[1692]ZCfgSvc.exe-->shell32.dll-->advapi32.dll-->OpenServiceW, Type: IAT modification 0x7C9C1068-->00000000 [acgenral.dll]
[1692]ZCfgSvc.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1692]ZCfgSvc.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1832]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1832]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1832]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1832]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1832]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1832]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[1832]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[3968]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[3968]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[3968]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[3968]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[3968]iexplore.exe-->gdi32.dll-->BitBlt, Type: Inline - PushRet 0x77F16F79-->00000000 [unknown_code_page]
[3968]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[3968]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[3968]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[3968]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[3968]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040111C-->00000000 [shimeng.dll]
[3968]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401060-->00000000 [aclayers.dll]
[3968]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010B8-->00000000 [aclayers.dll]
[3968]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[3968]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x00401078-->00000000 [aclayers.dll]
[3968]iexplore.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7C84495D-->00000000 [unknown_code_page]
[3968]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[3968]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->00000000 [aclayers.dll]
[3968]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->00000000 [aclayers.dll]
[3968]iexplore.exe-->ntdll.dll-->KiUserApcDispatcher, Type: Inline - RelativeJump 0x7C90E450-->00000000 [rooksdol.dll]
[3968]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[3968]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[3968]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[3968]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[3968]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[3968]iexplore.exe-->user32.dll-->DdeInitializeW, Type: Inline - PushRet 0x7E4206D7-->00000000 [unknown_code_page]
[3968]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->GetClipboardData, Type: Inline - PushRet 0x7E430DBA-->00000000 [unknown_code_page]
[3968]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[3968]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]
[3968]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[3968]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[3968]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]
[3968]iexplore.exe-->user32.dll-->RegisterClassA, Type: Inline - PushRet 0x7E42EA5E-->00000000 [unknown_code_page]
[3968]iexplore.exe-->user32.dll-->RegisterClassExW, Type: Inline - PushRet 0x7E41AF7F-->00000000 [unknown_code_page]
[3968]iexplore.exe-->user32.dll-->RegisterClassW, Type: Inline - PushRet 0x7E41A39A-->00000000 [unknown_code_page]
[3968]iexplore.exe-->user32.dll-->TranslateMessage, Type: Inline - PushRet 0x7E418BF6-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - PushRet 0x3D94632F-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - PushRet 0x3D94AA7B-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->HttpOpenRequestW, Type: Inline - PushRet 0x3D94C49A-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - PushRet 0x3D953558-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - PushRet 0x3D9AA92E-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - PushRet 0x3D958C49-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - PushRet 0x3D95FDF9-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - PushRet 0x3D944261-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetConnectA, Type: Inline - PushRet 0x3D94B0D2-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetConnectW, Type: Inline - PushRet 0x3D94C2C0-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetGetCookieA, Type: Inline - PushRet 0x3D9AC120-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetGetCookieExA, Type: Inline - PushRet 0x3D963A49-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetOpenA, Type: Inline - PushRet 0x3D953081-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetOpenW, Type: Inline - PushRet 0x3D9536B1-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - PushRet 0x3D951615-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - PushRet 0x3D963384-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetSetStatusCallback, Type: Inline - PushRet 0x3D957D7B-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->InternetWriteFile, Type: Inline - PushRet 0x3D958D5C-->00000000 [unknown_code_page]
[3968]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[3968]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D931484-->00000000 [aclayers.dll]
[3968]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931418-->00000000 [aclayers.dll]
[3968]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D9313EC-->00000000 [aclayers.dll]
[3968]iexplore.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]
[3968]iexplore.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump 0x71AB2A6F-->00000000 [unknown_code_page]
[3968]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[3968]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->00000000 [aclayers.dll]

Hope this helps :)
Regular Member
Posts: 15
Joined: July 4th, 2010, 1:28 pm

Re: Trojan.Vundo.H and maybe more

Unread postby Cypher » July 9th, 2010, 6:32 am

First off well done running these scans and fixes you're doing great.
Lets try this again and see if we can get it this time.
Again please disable you're AV and SpyHunter before running ComboFix.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C08E33F0-EFDB-495F-8E40-01BC8B895D0F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8D4C50D-066A-4EB3-AB76-32D415CB10B5}]
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.


Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Malwarebytes log.
  • Please give me an update on your computers performance.
User avatar
Posts: 14936
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Trojan.Vundo.H and maybe more

Unread postby SLR » July 9th, 2010, 11:34 am

Hello Cypher :D

I think we've had success! I'll post the files you asked for so you can confirm

ComboFix Log:

ComboFix 10-07-08.02 - Tony 09/07/2010 15:39:21.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.365 [GMT 1:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}


file zipped: c:\windows\system32\drivers\uybxfivm.sys

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))

2010-07-07 18:16 . 2010-07-07 18:16 -------- d-----w- C:\_OTM
2010-07-07 18:11 . 2010-07-07 18:11 -------- d-----w- c:\program files\ERUNT
2010-07-06 21:52 . 2010-07-06 21:53 -------- d-----w- C:\rsit
2010-07-06 20:20 . 2010-07-06 20:49 -------- d-----w- c:\windows\system32\NtmsData
2010-07-04 17:15 . 2010-07-04 17:15 388096 ------r- c:\documents and settings\Tony\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-04 17:15 . 2010-07-07 18:48 -------- d-----w- c:\program files\Trend Micro
2010-07-01 15:53 . 2010-07-01 15:53 110080 ------r- c:\documents and settings\Tony\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2010-07-01 15:53 . 2010-07-01 15:53 110080 ------r- c:\documents and settings\Tony\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2010-07-01 15:53 . 2010-07-01 15:53 -------- d-----w- c:\program files\Enigma Software Group
2010-06-30 17:05 . 2010-06-30 17:05 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-29 20:34 . 2010-06-29 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2010-06-29 20:33 . 2003-10-22 17:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2010-06-29 10:04 . 2010-06-29 10:04 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2010-06-29 09:06 . 2010-06-29 09:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-06-29 08:57 . 2010-06-29 08:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-29 08:57 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 08:57 . 2010-06-29 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-29 08:57 . 2010-06-29 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 08:57 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 08:30 . 2010-06-29 08:30 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-29 08:30 . 2010-06-29 08:30 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-29 08:30 . 2010-06-29 08:30 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-29 08:29 . 2010-06-29 08:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-28 21:35 . 2010-06-29 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-28 21:35 . 2010-06-28 21:35 -------- d-----w- c:\program files\Alwil Software
2010-06-10 07:30 . 2010-06-10 07:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-07-08 22:18 . 2005-09-06 10:35 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-06 21:13 . 2008-06-06 19:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-06 21:13 . 2008-12-19 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-06 21:07 . 2008-06-04 06:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-06 21:06 . 2008-06-04 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-06 21:00 . 2005-09-01 08:45 -------- d-----w- c:\program files\Java
2010-07-03 12:57 . 2005-09-01 08:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-02 18:03 . 2008-06-04 00:51 -------- d-----w- c:\program files\Panda Security
2010-07-01 22:05 . 2004-08-10 11:51 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-07-01 21:31 . 2009-11-17 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-30 21:06 . 2009-11-05 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-30 17:08 . 2009-11-05 10:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-07 17:07 . 2010-06-07 17:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-07 07:27 . 2008-06-03 22:39 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-07 07:27 . 2008-03-07 18:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-04 17:20 . 2004-08-10 11:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-10 11:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 11:50 285696 ----a-w- c:\windows\system32\atmfd.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]


"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-07 2065248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Tony\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-3-24 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 09:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"EnableFirewall"= 0 (0x0)

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Deskjet 9800 Series\\Toolbox\\HPWQTBX.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/06/2008 23:39 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/06/2008 23:39 242896]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [07/06/2010 18:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/06/2010 18:07 166632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/03/2010 10:45 308064]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/06/2010 18:07 840936]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/05/2010 17:06 327064]
S2 gupdate1c9b2d5db34536c;Google Update Service (gupdate1c9b2d5db34536c);c:\program files\Google\Update\GoogleUpdate.exe [01/04/2009 15:26 133104]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [27/01/2010 18:10 5248]
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 14:26]

2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 14:26]

2010-07-08 c:\windows\Tasks\SpyHunter4.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe [2010-05-18 16:04]
------- Supplementary Scan -------
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI8CBC~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 15:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3781343841-3770824809-4058466095-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@DACL=(02 0000)
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4820)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
------------------------ Other Running Processes ------------------------
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
Completion time: 2010-07-09 15:56:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-09 14:56
ComboFix2.txt 2010-07-08 16:42
ComboFix3.txt 2010-07-07 20:43

Pre-Run: 27,030,118,400 bytes free
Post-Run: 27,019,907,072 bytes free

- - End Of File - - B618D95FD94779FFCF59A876992F9755

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.46

Database version: 4296

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

09/07/2010 16:13:06
mbam-log-2010-07-09 (16-13-06).txt

Scan type: Quick scan
Objects scanned: 139379
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What do you think?

The computer is running great, scan clear, no warning windows on start up. Only Office and Reader updates are failing, but that might be some problem with the settings. I am happy (very)! :)

Regular Member
Posts: 15
Joined: July 4th, 2010, 1:28 pm

Re: Trojan.Vundo.H and maybe more

Unread postby Cypher » July 9th, 2010, 11:54 am

I think we've had success!

Looks like we found the culprit that was reloading the infection :thumbup:
Ok lets get one more scan to check for leftovers.

Please download ATF Cleaner to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the below scan.


ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Logs/Information to Post in your Next Reply

  • ESET log.
  • Please give me an update on your computers performance.
User avatar
Posts: 14936
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Trojan.Vundo.H and maybe more

Unread postby SLR » July 9th, 2010, 2:09 pm

Hi Cypher,

Ran ATF and then scanned with ESET

Here is the results:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard2.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard3.zip Win32/Bagle.gen.zip worm
C:\QooBox\Quarantine\[4]-Submit_2010-07-09_15.39.09.zip Win32/TrojanClicker.Agent.APT trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\diamlgyu.ini.vir Win32/Adware.Virtumonde.NEO application
C:\QooBox\Quarantine\C\WINDOWS\system32\kdgoqjwy.ini.vir Win32/Adware.Virtumonde.NEO application
C:\QooBox\Quarantine\C\WINDOWS\system32\kypmgmsp.ini.vir Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP470\A0203920.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP470\A0203921.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP470\A0203922.ini Win32/Adware.Virtumonde.NEO application

Computer seems fine - just the same as in my last post.

Thanks :)

Regular Member
Posts: 15
Joined: July 4th, 2010, 1:28 pm

Re: Trojan.Vundo.H and maybe more

Unread postby Cypher » July 9th, 2010, 2:27 pm

Most of what the ESET scan found will be dealt with when i give you final instructions.
Run this fix below to deal with the rest.
What exactly happens when you try to update Office and Abobe Reader?
Let me know in you're next reply.

Delete file/folder
Press Start->Run, copy/paste the following command into the box and press OK: Do not include the word quote:
cmd /c rd /q /s C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

A blank command window will open on your desktop, then close in a minute or two. This is normal.
User avatar
Posts: 14936
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Trojan.Vundo.H and maybe more

Unread postby SLR » July 10th, 2010, 6:44 am

Hello Cypher,

I ran the fix you gave me, thank you.

Regarding the update problems, in the notification area on the bottom right toolbar there is a "Updates are ready for your computer, click here to install" icon. When I click it tries to install but fails.

The message is gives is
"Some Updates could not be installed.
The following updates were not installed:
Security Update for Microsoft Office Excel 2003 (KB982133)
Security Update for Microsoft Office 2003 (KB982311)"

There is also a message in the turn off icon " turn off to install important updates", but when I turn off the update icon is still there when the computer is next started, and the updates are the same ones.

With Reader, when the computer is started a notification message pops up to say an update is ready click here to install (can't remember exact words). When clicked Adobe Reader Updater opens, there is a details link on it, which goes to http://kb2.adobe.com/cps/837/cpsid_83708.html . When I click, it says installing update, then rolls back & says "Update failed. Error 1402 Could not open key: HKEY_LOCAL_MACHINE\SOFTWARE|Microsoft\Windows\CurrentVersion\Run\OptionalComponants\IMAIL . Verify that you have sufficient access to that key, or contact your support personnel." there is a details link again which goes to http://kb2.adobe.com/cps/852/cpsid_85258.html. I have gone into Reader program and to the Help menu. and clicked "Repair Adobe Reader Installation", but that fails too.

Very strange! I would uninstall Reader and reinstall, but it's working at the mo, so I worried I might not be able to reinstall at all


Regular Member
Posts: 15
Joined: July 4th, 2010, 1:28 pm

Re: Trojan.Vundo.H and maybe more

Unread postby Cypher » July 10th, 2010, 7:03 am


The problems you are still experiencing are not coming from malware as all of your latest logs have come back clean.
As this is a dedicated Malware Removal site I think those issues are best left to experts elsewhere..
Here are some excellent Tech sites (in no particular order) that may be able to help with these problems:

So as I said above your logs are clean, I hope you can resolve your other problem with the links that I provided.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Time for some housekeeping
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.



Download OTC by Old Timer and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You can now delete any tools we used if they remain on your Desktop.

Now we needed to deal with security vulnerabilities

Install internet explorer 8

You can find information and install IE 8 from Here

Here are some free programs I recommend that could help you improve your computer's security.

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!
User avatar
Posts: 14936
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Trojan.Vundo.H and maybe more

Unread postby SLR » July 10th, 2010, 9:31 am

Hello Cypher,

I am now implementing your advice to keep my machine safe in future.

I hope you know what a star you are, thank you so much for all your help and patience! I hope I don't have to post with any more problems, but I know where to come for great help and advice!!!

Thank you so much

SLR :cheers:
Regular Member
Posts: 15
Joined: July 4th, 2010, 1:28 pm

Re: Trojan.Vundo.H and maybe more

Unread postby Cypher » July 10th, 2010, 11:33 am

You're most welcome glad we could help.
Good luck and stay safe.
User avatar
Posts: 14936
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Trojan.Vundo.H and maybe more

Unread postby Elrond » July 10th, 2010, 2:36 pm

SLR this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Admin/Teacher Emeritus
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Register to Remove


  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware