Author Topic: Computer Virus (Read 2484 times)

teddy · « **on:** January 18, 2009, 07:50:46 PM »

Hello

I think I have a virus on my computer and hopefully you are able to help me. For the past few weeks, my computer has been very slow. I am not able to connect to the internet through Mozilla or IE Explorer. When I used to be able to go online, I kept getting popups saying that it has found Trojan Vundos, muliple times. The popups also say to download anti-virus. I also keep getting pop up windows that I have an error and to send it to Microsoft and it doesn't look like a legitimate window. Please let me know what I should do. Thanks.

teddy · « **Reply #1 on:** January 18, 2009, 07:58:42 PM »

I am having problems with my computer.

I keep getting pop-ups telling me that a i need to install a virus scanner, it usually pops up when I am on my desktop. I keep getting pop ups followed up by AVG pop ups to download AVG. I also get pop ups from Symantec Virus scanner telling me that I nave 1XX Trojan.Vundo on my system and that I need to either restart now and clean it up, or restart later.

winchester73 · « **Reply #2 on:** January 18, 2009, 09:48:37 PM »

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post the contents of that file in your next reply in this thread.

The scan will take quite a while. Go have a cup of coffee or something while MBAM is working.

BTW, I merged your two topics into this one ...

teddy · « **Reply #3 on:** January 20, 2009, 04:21:42 PM »

Hi Winchester,

Thanks for the help

Here is the log

Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 5.1.2600 Service Pack 2

20/01/2009 4:27:31 AM
mbam-log-2009-01-20 (04-27-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 94414
Time elapsed: 1 hour(s), 12 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 20
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 6
Files Infected: 64

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\moligefa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\kivokoyu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\sazuviyu.dll (Trojan.Vundo.H) -> No action taken.
C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvvtkj (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8116f419-f467-4ec8-806b-fb43ba54577f} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8116f419-f467-4ec8-806b-fb43ba54577f} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3cd1788-2451-4995-ae99-93e8083575af} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e3cd1788-2451-4995-ae99-93e8083575af} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e3cd1788-2451-4995-ae99-93e8083575af} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8116f419-f467-4ec8-806b-fb43ba54577f} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall (Adware.Mirar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wovumewiru (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2b9781ca (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SurfAccuracy) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sazuviyu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\sazuviyu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sazuviyu.dll -> No action taken.

Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> No action taken.
C:\Program Files\Webtools (Trojan.Agent) -> No action taken.
C:\Program Files\Mjcore (Trojan.BHO) -> No action taken.
C:\Documents and Settings\Teddy\Application Data\gadcom (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Teddy\Application Data\NI.GSCNS (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Teddy\Application Data\speedrunner (Adware.SurfAccuracy) -> No action taken.

Files Infected:
C:\WINDOWS\system32\xxyvvTkJ.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\ufmorr.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\daneteki.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\iketenad.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\feyavezi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\izevayef.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fezijepa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\apejizef.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gujanawa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\awanajug.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hituyake.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\ekayutih.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jerurigo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\ogirurej.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\liwuvepu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\upevuwil.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\miwikira.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\arikiwim.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nuzepema.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\amepezun.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\seyilehu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\uheliyes.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vutuzoto.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\otozutuv.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vuvimuwe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\ewumivuv.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wafadewi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\iwedafaw.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wuyekopa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\apokeyuw.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\moligefa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\kivokoyu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\sazuviyu.dll (Trojan.Vundo.H) -> No action taken.
C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ4DA.tmp (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012912.dll (Trojan.Vundo.H) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012913.dll (Trojan.Vundo.H) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012914.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012915.dll (Trojan.Vundo.H) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012916.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\wufoyeva.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\osdxmf.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\vagamiko.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\gabowuto.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\giwasora.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\meruyuwa.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\molafabo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\nubinufu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\ritukera.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\fowejigo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\bokosefu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\zarenija.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\voduhuta.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\badeliki.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\suletifo.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Teddy\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Teddy\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Teddy\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> No action taken.
C:\Documents and Settings\Teddy\Application Data\speedrunner\SpeedRunner.exe (Adware.SurfAccuracy) -> No action taken.
C:\WINDOWS\SYSTEM32\nepusenu.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\conf.sys (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSScjwfuqlm.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSSrntpjkqw.log (Trojan.TDSS) -> No action taken.

Please advise on the next step

Thanks

Teddy

R-C · « **Reply #4 on:** January 20, 2009, 05:47:24 PM »

Teddy it is saying no action taken did you follow the directions given to you by winchester 73?

in his directions you need to follow these steps:
# Once the program has loaded, select Perform full scan, then click Scan.
# When the scan is complete, click OK, then Show Results to view the results.
# Be sure that everything is checked, and click Remove Selected.

be sure to then post the log.

winchester73 · « **Reply #5 on:** January 20, 2009, 06:16:20 PM »

Run the updater within MBAM ... database 1671 is the current one as I type this. Then scan again, same as before ... FULL scan, not quick.

"Select all" at the end of the scan, and have MBAM do it's magic.

teddy · « **Reply #6 on:** January 20, 2009, 07:20:01 PM »

Ok, here is the log, the scan was done with the newest update (1671)

Malwarebytes' Anti-Malware 1.33
Database version: 1671
Windows 5.1.2600 Service Pack 2

20/01/2009 3:11:13 PM
mbam-log-2009-01-20 (15-11-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 95894
Time elapsed: 1 hour(s), 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 8
Registry Keys Infected: 23
Registry Values Infected: 8
Registry Data Items Infected: 5
Folders Infected: 6
Files Infected: 56

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\lezimazo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\yetisono.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\wikobilo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\sasoresi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\rilihoki.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ufmorr.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\motewona.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvvtkj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8116f419-f467-4ec8-806b-fb43ba54577f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8116f419-f467-4ec8-806b-fb43ba54577f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3cd1788-2451-4995-ae99-93e8083575af} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e3cd1788-2451-4995-ae99-93e8083575af} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e3cd1788-2451-4995-ae99-93e8083575af} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8116f419-f467-4ec8-806b-fb43ba54577f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28a4b256 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wovumewiru (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2b9781ca (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wikobilo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wikobilo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sasoresi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\sasoresi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sasoresi.dll -> Delete on reboot.

Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Teddy\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Teddy\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Teddy\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xxyvvTkJ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ufmorr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\hufebido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\odibefuh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lezimazo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ozamizel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vesugupo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\opugusev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wegahuwe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ewuhagew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\makezimu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\wikobilo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\yetisono.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\sasoresi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\rilihoki.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\motewona.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5D1.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5D5.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5D9.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5DF.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5E1.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5E3.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5E6.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5EE.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ62C.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012946.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012950.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012952.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012953.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0012954.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dijumimo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nopasopa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jegthn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vagamiko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vagetedo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\doralewi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\giyafufu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fubupetu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\razepoyo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\whormt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wilonozi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hapisiha.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lazagewa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zavubeve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Teddy\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Teddy\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Teddy\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Teddy\Application Data\speedrunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zodezaru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vatoteju.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\nepusenu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\conf.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSScjwfuqlm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSrntpjkqw.log (Trojan.TDSS) -> Quarantined and deleted successfully.

winchester73 · « **Reply #7 on:** January 20, 2009, 07:43:52 PM »

First, please reboot your computer. After your computer has restarted, run MBAM once again so we can see if something has re-generated. Only paste a MBAM log if something is found.

Then, please download and install HijackThis© from one of the following locations:

At the download prompt from one of the above locations, choose "Save"
Navigate to the saved file and double-click the installer, HJTsetup.exe
By default, HijackThis© will be installed on your computer at C:\Program Files\Trend Micro\HijackThis, making an entry in the Start menu and also providing a Desktop shortcut
Select "Do a system scan and save the Logfile"
When the scan is completed, Notepad will launch with the log. Please UNcheck Word Wrap in Notepad (Click Format > UNcheck Word Wrap)
Do not fix anything that you see in the log. (Scanning will not make any changes to your computer. Most of what is found is harmless or even required.)
Copy/Paste the log here. (Select Edit > Select All > Edit Copy)

teddy · « **Reply #8 on:** January 20, 2009, 09:12:10 PM »

Ok, here is the log from hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:44 PM, on 20/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CCD9125-146E-42E1-9B7E-D1C9F8CDB7BC} - C:\WINDOWS\system32\wvUnKBts.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: (no name) - {B87874DC-4E44-471B-9AB9-8F5807CA1CD2} - C:\WINDOWS\system32\urqQkkHx.dll (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Teddy\Application Data\Twain\Twain.exe
O4 - HKUS\S-1-5-20\..\Run: [wovumewiru] Rundll32.exe "C:\WINDOWS\system32\makezimu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\dijineho.dll c:\windows\system32\nuwusiwu.dll c:\windows\system32\wujogovo.dll c:\windows\system32\fekojihi.dll C:\WINDOWS\system32\zujasema.dll c:\windows\system32\tehesoti.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9610 bytes

winchester73 · « **Reply #9 on:** January 21, 2009, 12:35:29 PM »

Please go here: http://www.virustotal.com/

In the "Upload a File" box, please copy/paste this: C:\Documents and Settings\Teddy\Application Data\Twain\Twain.exe

Then press "Send File", and let us know what the result is.

Next, let's do this ...

Run HJT again, and use your mouse to checkmark the box next to the following items (and these items ONLY):

O2 - BHO: (no name) - {2CCD9125-146E-42E1-9B7E-D1C9F8CDB7BC} - C:\WINDOWS\system32\wvUnKBts.dll (file missing)
O2 - BHO: (no name) - {B87874DC-4E44-471B-9AB9-8F5807CA1CD2} - C:\WINDOWS\system32\urqQkkHx.dll (file missing)

Press "Fix Checked", and then close HJT.

The presence of these two items means we'll have to pull out a special tool:

O4 - HKUS\S-1-5-20\..\Run: [wovumewiru] Rundll32.exe "C:\WINDOWS\system32\makezimu.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: c:\windows\system32\dijineho.dll c:\windows\system32\nuwusiwu.dll c:\windows\system32\wujogovo.dll c:\windows\system32\fekojihi.dll C:\WINDOWS\system32\zujasema.dll c:\windows\system32\tehesoti.dll

Please follow these instructions carefully.

Download ComboFix (created by sUBs) from one of the following locations:

Link 1
Link 2
Link 3

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click "Yes" to continue scanning for malware.
When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This procedure can take some time, so please be patient. While ComboFix is running, do not touch your computer at all.

LandzDown Forum

News:

Author Topic: Computer Virus (Read 2484 times)

teddy

Computer Virus

teddy

Re Virus

winchester73

Re: Re Virus

teddy

Re: Computer Virus

R-C

Re: Computer Virus

winchester73

Re: Computer Virus

teddy

Re: Computer Virus

winchester73

Re: Computer Virus

teddy

Re: Computer Virus

winchester73

Re: Computer Virus