So, I'm used to using a variety of spyware\virus removal tools for a problem... But I've got something I can't seem to shake. I've found traces of it in msconfig and regedit, but they continue re-appearing, and when I googled the anomaly's filename, nothing came up... So I'm at a loss. It's generating false anti-spyware ads left and right. Any help is appreciated, here's my hijackthis log. I have thunderbird, GIMP, and one firefox window running as this was run. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:29:58 PM, on 12/3/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Zune\ZuneLauncher.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\GIMP-2.0\bin\gimp-2.2.exe C:\Program Files\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiralfrog.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [Dkiwa] rundll32.exe "C:\WINDOWS\ojuxegirifad.dll",e O4 - HKLM\..\Run: [Cpomawanubilila] rundll32.exe "C:\WINDOWS\Jhefoqaxuwibiq.dll",e O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [389acf46] rundll32.exe "C:\WINDOWS\system32\aqbufegd.dll",b O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\dlm.exe /windowsstart /startifwork O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\Program Files\Paltalk Messenger\Paltalk.exe (file missing) O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll qscodh.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7321 bytes
Hi handsom Please tell me what spyware removal tools you have used so far. Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required. Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop. Configuring Malwarebytes • Click on the tab Settings. • Make sure only these boxes are checked: Code: Terminate Internet Explorer Automatically save and display logfile after removal Always scan memory objects Always scan registry objects Always scan filesystem Always scan extra and heuristics objects Updating Malwarebytes • Click on the tab Update. • Press the button Check for Updates • Wait for Malwarebytes to be fully updated. Scanning Time • Click on the tab Scanner. • Check Perform full scan and click on Scan • Wait for the scan to complete, and then click on Show Results. • Make sure all items are checked, then click on Remove Selected. **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately. Post A Log • A text box will pop up after the removal process is over. Post the contents of the text here. • If no text box pops up, launch Malwarebytes, and click on the tab Logs. • The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open. • Post the log here. Best Regards
Okay, sorry for the delay. I've run Malwarebytes... I've also run Avira, Spybot Search and Destroy, and CCleaner, to try and eliminate everything. I ran all but Spybot in safe mode as well, to ensure that it can really get as much as possible. (Yes, I ran these, then ran them again in safe mode, I'm being very thorough.) At this EXACT moment in time, no warnings are popping up, but this is the second time I've gone into safe mode like this, after the first time, it seemed like it was just dormant for a few hours. I'm including my most recent logs from Malwarebytes, Avira, and Hijackthis(at the advice of several resources, I renamed HijackThis.exe to something else, because vundo has been known to detect it and hide itself, I simply re-named it back for this scan.) What I've been seeing is popup warnings from either Avira or AVG, whichever is running, telling me that I have Trojan/Vundo running in a .dll file in C:\Windows\System32, upon reading about this, I've found that from system to system, it seems to pick about three random file names that it will be, and it simply recreates them each time they're deleted (This is why I removed them in safe mode, and it initially seemed like I had success, but the bugger came back.) Has anyone encountered this malware in this way? I've tried vundofix and even the vundorootkit, but it doesn't detect the thing, even though my protection and prior runs of MBAM and Spybot all agree it's Vundo. Anyways, here are the latest logs, they appear clean, but they did last night too, and I'm still seeing some odd, unexplained spikes in CPU usage that seem to be symptomatic of the problem still existing, though there are no signs of it in task manager, when it spikes, the whole system is nonpresponsive for about a minute, so I can't see what process is doing it, and by the time it responds, CPU\Mem usage is already back down, and all I'm left with is a line chart in the performance tab showing a huge inexplicable spike... LOGS: MalwareBytes Anti-Malware Malwarebytes' Anti-Malware 1.30 Database version: 1455 Windows 5.1.2600 Service Pack 3 12/7/2008 7:37:00 AM mbam-log-2008-12-07 (07-37-00).txt Scan type: Full Scan (C:\|D:\|G:\|) Objects scanned: 210661 Time elapsed: 2 hour(s), 35 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------------------------------------------------- Avira AntiVir Personal Report file date: Sunday, December 07, 2008 00:32 Scanning for 1075399 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 3) [5.1.2600] Boot mode: Save mode Username: Owner Computer name: ERIC Version information: BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00 AVSCAN.EXE : 8.1.4.10 315649 Bytes 12/2/2008 14:56:00 AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 17:56:40 LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 22:44:19 LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 17:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 14:56:00 ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 14:56:00 ANTIVIR2.VDF : 7.1.0.160 571392 Bytes 11/30/2008 14:56:00 ANTIVIR3.VDF : 7.1.0.195 219648 Bytes 12/5/2008 01:48:12 Engineversion : 8.2.0.42 AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 20:05:56 AESCRIPT.DLL : 8.1.1.17 336251 Bytes 12/4/2008 23:07:35 AESCN.DLL : 8.1.1.5 123251 Bytes 12/2/2008 14:56:01 AERDL.DLL : 8.1.1.3 438645 Bytes 12/2/2008 14:56:01 AEPACK.DLL : 8.1.3.4 393591 Bytes 12/2/2008 14:56:01 AEOFFICE.DLL : 8.1.0.32 196987 Bytes 12/6/2008 01:48:13 AEHEUR.DLL : 8.1.0.74 1519990 Bytes 12/4/2008 23:07:30 AEHELP.DLL : 8.1.2.0 119159 Bytes 12/2/2008 14:56:01 AEGEN.DLL : 8.1.1.6 323955 Bytes 12/2/2008 14:56:00 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 20:05:56 AECORE.DLL : 8.1.5.2 172405 Bytes 12/2/2008 14:56:00 AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 20:05:56 AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 18:40:05 AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 19:28:01 AVREP.DLL : 8.0.0.2 98344 Bytes 12/2/2008 14:56:00 AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 21:26:40 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 18:29:23 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 22:27:49 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 03:28:02 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 22:49:40 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 22:05:10 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 23:48:07 RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 23:34:37 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: delete Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, D:, G:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: on Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Deviating risk categories........: +APPL,+JOKE,+SPR, Start of the scan: Sunday, December 07, 2008 00:32 Starting search for hidden objects. The driver could not be initialized. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'mbam.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 13 processes with 13 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Master boot sector HD1 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Boot sector 'D:\' [INFO] No virus was found! Boot sector 'G:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '53' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\Owner\Desktop\Audiobooks zipped\0613.part2.rar [0] Archive type: RAR --> 0613\0613 - Orson Scott Card - Lost Boys\097 - Orson Scott Card - Lost Boys.mp3 [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Documents and Settings\Owner\Desktop\Audiobooks zipped\1214.part2.rar [0] Archive type: RAR --> 1214\1214 - Orson Scott Card - Shadow of the Hegemon\02 - Shadow of the Hegemon_09.mp3 [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Documents and Settings\Owner\Desktop\Audiobooks zipped\1215.part2.rar [0] Archive type: RAR --> 1215\1215 - Orson Scott Card - Shadow Puppets\04 - Shadow Puppets_03.mp3 [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Documents and Settings\Owner\Desktop\Audiobooks zipped\1215.part3.rar [0] Archive type: RAR --> 1215\1215 - Orson Scott Card - Shadow Puppets\07 - Shadow Puppets_06.mp3 [WARNING] No further files can be extracted from this archive. The archive will be closed C:\software\360 Stuff\Latest.Tools.Firmware.XBOX360.14th.Feb.2007-Thanks.rar [0] Archive type: RAR --> Latest.Tools.Firmware.XBOX360.14th.Feb.2007-Thanks\latest.tools.firmware.xbox360.r00 [1] Archive type: RAR --> XBOX 360\xdvdfs\XDVDMulleter\mulletbeta3.nfo [WARNING] No further files can be extracted from this archive. The archive will be closed --> Latest.Tools.Firmware.XBOX360.14th.Feb.2007-Thanks\latest.tools.firmware.xbox360.r01 [1] Archive type: RAR --> XBOX 360\firmware\firmware tools\HITFLASH\hitflash_birdy.rar [WARNING] No further files can be extracted from this archive. The archive will be closed C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\wpf.msi [0] Archive type: OLE --> Object [1] Archive type: CAB (Microsoft) --> PresentationCFFRasterizerNative_X86.dll [WARNING] No further files can be extracted from this archive. The archive will be closed C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! Begin scan in 'D:\' <Sata 224gb> D:\pagefile.sys [WARNING] The file could not be opened! D:\IRC\Tunebite.Platinum.Edition.v4.1.0.22-TE.tar [0] Archive type: TAR (tape archiver) --> Tunebite.Platinum.Edition.v4.1.0.22-TE/tt41022e.zip [1] Archive type: ZIP --> tt41022.r03 [2] Archive type: RAR --> te.nfo [WARNING] No further files can be extracted from this archive. The archive will be closed D:\IRC\Tunebite.Platinum.Edition.v4.1.0.22-TE\Tunebite.Platinum.Edition.v4.1.0.22-TE\tt41022e.zip [0] Archive type: ZIP --> tt41022.r03 [1] Archive type: RAR --> te.nfo [WARNING] No further files can be extracted from this archive. The archive will be closed Begin scan in 'G:\' End of the scan: Sunday, December 07, 2008 03:29 Used time: 2:57:15 Hour(s) The scan has been done completely. 11722 Scanning directories 517696 Files were scanned 0 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 3 Files cannot be scanned 517693 Files not concerned 9311 Archives were scanned 12 Warnings 0 Notes -------------------------------------------------------------- HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:01:37 AM, on 12/7/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiralfrog.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {D56FF923-47F7-4DC9-B84A-1987FBB3C51E} - C:\WINDOWS\system32\qoMeCrrS.dll (file missing) O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\dlm.exe /windowsstart /startifwork O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll awskxb.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 6095 bytes ------------------------------------------------------------- THANK YOU FOR ANY ASSISTANCE! ^_^
Hey handsom Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop. Please disable all security programs, such as antiviruses, antispywares, and firewalls. • Run Combo-Fix.exe and follow the prompts. • Accept the End-User License Agreement. • Allow the Recovery Console to be installed. • When you see the window below, click on Yes. • When the Recovery Console has been installed, click on Yes to start the scan. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be fully completed. • If it requires a reboot, please do so. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. Best Regards
Well; I ended up beating the thing. But it was an interesting run. For others who end up with Vundo, or any of it's variations, there's no true one-click-fixer for it. This one is manual. Remove(Uninstall) all installations of Sun Java. Disconnect your pc from the internet completely. Put in the Windows setup disc, and boot your computer with it, select 'repair' mode, and go to the system32 folder, use the dir command to identify any files which have only the h and s properties, then delete them from this command line. **You can't do this from windows, even in safe mode the virus WILL replicate as you delete it.** Once you have deleted all these files, (They will all have extensions of .ini, .dll, or .dll.tmp) reboot into safe mode and run CCleaner as well as a sweep with Spybot, to confirm that your machine is clean. Assuming it's clean, reboot into regular windows, connect to the web, and download the latest version of Sun Java, update your virus protection, and be happy that you're free of this thing!
