Computer Support Forum

Vundo problem, possibly worse?

Question: Vundo problem, possibly worse?

So earlier today, my laptop started acting up. My windows updates were disabled, and my desktop changed to a black screen with red letters saying my laptop was infected, with a bunch of extra text. So I ran MBAM and it detected 23 items. Most were removed and I haven't had that black screen occur again. But every time I've run it after that, 3 files always come up:

Trojan Vundo.H - Registry Value (under Other category: Value wuradoreva)
Trojan Vundo.H - Registry Key
Trojan Vundo.H - Registry Key

Every time I run MBAM, these 3 always appear. Even after I've clicked "removed selected."

On top of that, I've also had a problem with google redirecting. :/

Here's the DDS log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Zach McManus at 19:43:50.26 on Wed 07/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.314 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
svchost
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Zach McManus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: {6c0f7b02-110e-4d4d-b3de-f3d28f8c6815} - c:\windows\system32\jolefayu.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [nah_Shell] c:\documents and settings\zach mcmanus\nah_hijm.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [realteks] "c:\documents and settings\zach mcmanus\application data\google\afuya1119762.exe" 2
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [wuradoreva] Rundll32.exe "c:\windows\system32\tukideka.dll",s
StartupFolder: c:\docume~1\zachmc~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\zach mcmanus\start menu\programs\startup\ppqupd32.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} - hxxp://www.lojackforlaptops.com/ctmweb/testoc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: mpbabu.dll,c:\windows\system32\yesakuno.dll c:\windows\system32\suvuwutu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\windows\system32\yesakuno.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zachmc~1\applic~1\mozilla\firefox\profiles\yr8dt2gu.default\
FF - prefs.js: browser.startup.homepage - espn.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - plugin: c:\documents and settings\zach mcmanus\application data\mozilla\firefox\profiles\yr8dt2gu.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-3 214024]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-6-6 33664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-3 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-3 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-3 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-2 38496]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-3 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-3 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-3 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-3 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-3 40552]
R3 ssrangdr;ssrangdr;c:\windows\system32\drivers\ssrangdr.sys [2008-11-11 2560]
RUnknown jrrb;jrrb; [x]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 ssrang_supportdotcom;Support.com Controller Service;c:\program files\supportdotcom\rang\ssrangsv.exe [2008-12-10 965960]
S3 EraserUtilDrv10821;EraserUtilDrv10821;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10821.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10821.sys [?]

=============== Created Last 30 ================

2009-07-08 16:37 93 a------- c:\windows\system32\SKYNETdskslreb.dat
2009-06-30 13:41 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-30 13:41 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-30 13:41 <DIR> --d----- c:\program files\iPod
2009-06-30 13:40 <DIR> --d----- c:\program files\iTunes
2009-06-28 21:31 13,160 a------- c:\windows\system32\Upgrd.exe
2009-06-28 20:07 <DIR> --dsh--- c:\documents and settings\zach mcmanus\PrivacIE
2009-06-28 20:03 <DIR> --dsh--- c:\documents and settings\zach mcmanus\IETldCache
2009-06-28 20:00 <DIR> --d----- c:\windows\ie8updates
2009-06-28 19:58 <DIR> -cd-h--- c:\windows\ie8
2009-06-28 19:56 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-28 19:56 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-28 19:56 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-28 19:56 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-28 19:56 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-26 22:45 18,944 a------- c:\windows\system32\SKYNETmfgpwfmo.dll
2009-06-26 22:44 136,660 a------- c:\windows\system32\SKYNETrdylksru.dat
2009-06-26 22:44 68,608 a------- c:\windows\system32\drivers\SKYNETxepttiqx.sys
2009-06-26 22:44 43,520 -------- c:\windows\system32\SKYNETnmsspdux.dll

==================== Find3M ====================

2009-07-08 18:22 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-07-08 18:22 56,680 a------- c:\windows\system32\Rpcnet.dll
2009-07-08 18:21 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-07-08 16:39 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-08 12:37 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 06:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 23:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2007-10-01 21:44 52 a------- c:\docume~1\zachmc~1\applic~1\wklnhst.dat
2009-01-01 02:46 51,200 a--sh--- c:\windows\system32\biyedepu.exe

============= FINISH: 19:45:55.31 ===============

Any help would be appreciated.

Relevance 100%
Preferred Solution: Vundo problem, possibly worse?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Vundo problem, possibly worse?

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.During the download, rename Combofix to Combo-Fix as follows:It is important you rename Combofix during the download, but not after.**NOTE: If you are using Firefox, make sure that your download settings are as follows:Tools->Options->Main tabSet to "Always ask me where to Save the files".After that, double-click and run Combo-Fix. Let it finish its job and post the log hereIf ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

4 more replies
Relevance 64.37%

I've tried running VundoFix and VirtumundoBeGone and the VundoFix will find files and say it's removed them, but then when I reboot they're back, and VirtumundoBeGone doesn't find anything.

I've followed all the steps in the sticky thread and here are the logs.
 

Answer:Vundo problem and possibly more

here is the rest of the log files
 

11 more replies
Relevance 62.32%

I'm not entirely sure where I should be posting this problem, but I'll try my best to be as informative about the problem as I can... I appreciate all the help that anyone can give...

Basically put, I woke up and noticed that there were the two programs I mentioned in the topic title opened up, and I know no one had been using my computer while I was sleeping. I didn't really think anything of it, thinking that maybe for some unknown reason I opened those before heading to bed (I was up late last night playing GTA IV on my PC, so anything is possible lol). But I noticed with some usage afterward that those 2 programs are popping up fairly regularly. Sometimes they pop up only every few minutes, but sometimes immediately after I close it. I've never had anything even remotely similar to a problem like this, so I haven't a clue what to do.

I'm running XP Pro SP3 with ALL of the latest updates, I do all my interwebbing on Firefox, I have safety programs like Sygate Personal Firewall Pro, Avast Antivirus, Spybot Search and Destroy, and Spyware Doctor, AND Lavasoft Ad-aware... I haven't made any recent changes to my PC other than the fact that I downloaded Spyware Doctor a couple days ago because it seemed to get rid of the Vundo P (or Virtumonde) spyware/trojan problem that's been haunting me for a few days prior. The problem now may be entirely related to Vundo P, I'm not 100% sure.

Actually, as dumb as this may sound, I just rescanned my P... Read more

Answer:Two unrelated programs keep popping up (possibly a Vundo P problem?)

Let's get one more scan and log. Perhaps disable spyBot for this will be better.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin an... Read more

5 more replies
Relevance 61.91%

This is not my system, it is a co-worker of my mother's who thought that I might be able to fix his problem. He said that things got bad after he opened something through a link from a friend on Facebook. After researching, I figured it's the Koobface worm.

His system is an HP Pavilion dv7 Notebook PC, running Windows Vista Ultimate with Service Pack 2. It is also a 64-bit system. I saw that in the top post, GMER is for 32-bit systems. Furthermore, when I opened GMER just to see, it automatically scanned, stopped and asked for a full scan. When I click no, I can only touch the Services, Registry, Files, and ADS boxes. I cannot access Threads or anything above, etc. So I didn't bother.

The computer will not start up normally: it reaches the log-in screen then goes to a blue error screen, where it restarts and gives the option of starting in Safe Mode. It does start in Safe Mode, however attempts to run McAfee (the antivirus he had on here before it seems) have not worked. I have been using Safe Mode with Networking.

I first used Microsoft's Malicious Software Removal Tool. It removed one infected file, and did nothing else to help.

I went to install Avast! Anti-virus as it is what I use mostly. Once installed, there was a side-by-side configuration error, which when I looked into it, dealt with Microsoft Visual C++. I tried to install Redistributable of Visual C++ but it had problems with running Windows Install in Safe Mode. I eventually edited the Registry (with help... Read more

More replies
Relevance 61.91%

Hey there! I brought this issue down on myself entirely, because while searching for a copy of a book for college (recent publication) I hit what looked like some dodgy sites. In my own stupidity and determination I kept at it though, and am paying the consequences now.I received some amazing help here before with adware on my last laptop, and having done many of the scans I used that time (roguekiller, JRT, Mbar etc.) I am still looking at a crazy amount of pop-ups and redirects. Any help with the issue would be very much appreciated, although understandably I deserve no sympathy for my own stupidity All the same if anyone knows what direction to move next on this it would really help me out of a hole. DDS isn't working on this OS (8.1) so I have malwarebytes and FRST preliminary scan logs to start.

Regards,
Declan.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 23/02/2015
Scan Time: 15:38:42
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.23.04
Rootkit Database: v2015.02.22.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: declang

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 345328
Time Elapsed: 40 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No m... Read more

Answer:Some serious adware and possibly worse

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-02-2015
Ran by declang (administrator) on DECLAN on 24-02-2015 19:17:01
Running from C:\Users\declang\Downloads
Loaded Profiles: declang & (Available profiles: declang)
Platform: Windows 8.1 Connected (X64) OS Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
() C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Progr... Read more

21 more replies
Relevance 61.09%

Hello,

I'm used this forum as a resource before, and now I have a pretty crazy problem and I have no idea how to resolve it.

I was reading financial articles online, when suddenly the entire computer shutdown unexpectedly. Upon start-up, the screen showed a warning that recommended a system restore, so I went ahead and did it.

Once I re-started, I noticed that I couldn't access anything through the search engine, Google. Once I realized that every other site worked fine, I did some research and discovered that it was likely the result of a virus.

However, I tried searching for "TDSSserve.sys" which is normally associated with this problem, and found nothing.

To make matters worse - My Trend Micro is spazzing out like crazy. In the last 7 hours, I've received over 80,000 "web threats" from some ( http://) x-web.in /(followed by several random alpha, numbers)...I had to turn off my router to stop these threats from racking up.

Thank goodness Trend Micro blocked every single attempt so far!!

Any idea what's attacking my computer? I can't access Google and this x-web.in thing keeps attempting to penetrate.

Please help!

Note: I'm running Windows 7 on an HP G-62 model.

Answer:Google Virus And Possibly Worse

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and
Quote:




Having problems with spyware and pop-ups? First Steps




a link at the top of each page.

Please follow our pre-posting process outlined below.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 61.09%

Hi,
I'm new here and am currently trying to fix an infection of some sort. This morning I turned on the computer and there was some strange pop-up I had not seen before, something about illegal porn, which I know is false. Anyway I immediately downloaded an anti virus (bitdefender) and did a scan. It found a trojan.vundo.dzk virus and said it was now gone but windows explorer is still acting wonky. Whenever I try to access 'PC' or 'My Network Places' the window opens for a second and promptly closes and restarts windows explorer. I have a feeling the vundo virus is lingering because it is being removed every time the computer starts up.

This is a brandnew computer less than 2 months old and it is already a hassle... sigh

Here is my Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:03 PM, on 2/26/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\rundll32.exe
C:\Win... Read more

Answer:Solved: Problem possibly with Vundo virus, explorer.exe restarts on app start

15 more replies
Relevance 60.68%

this is getting worse and more intense. i cant load any drivers and when i go to check them it shows that they are functioning properly and up to date. and almost 1/2 my info in the system reads '0' in size. Whats that all about? and I cant get anything to recognize my mcafee, or a win32 document.
but now i have been wondering what could have happened to these few items....

(Task Manager)
escription
A problem caused this program to stop interacting with Windows.

Problem signature
Problem Event Name: AppHangB1
Application Name: taskmgr.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47918e94
Hang Signature: 81c8
Hang Type: 0
OS Version: 6.0.6001.2.1.0.768.2
Locale ID: 1033
Additional Hang Signature 1: 53f72d3f4124441cca0680ecd89a6848
Additional Hang Signature 2: db5a
Additional Hang Signature 3: 73b8e1bcf743f8e60d79d67d469cdb63
Additional Hang Signature 4: 81c8
Additional Hang Signature 5: 53f72d3f4124441cca0680ecd89a6848
Additional Hang Signature 6: db5a
Additional Hang Signature 7: 73b8e1bcf743f8e60d79d67d469cdb63

Extra information about the problem
Bucket ID: 342139870

(Genuine Windows Error)
"An unauthorized change was made to your license."
To keep your system stable, you must go online and validate that your software is genuine:
- Validate Online
- Close

Windows 6.0.6001 Service Pack 1

4/14/2009 4:19:13 PM
mbam-log-2009-04-14 (16-19-13).txt

Scan type: Quick Scan
Objects scanned: 69262
Time ... Read more

Answer:I am experiencing trojan difficulties, or possibly worse!

I also forgot to mention (not sure how i could forget) but I also wanted to make sure i mentioned that i had another Trojan about a week and a half ago that i thought mcafee deleted but apparently it didn't, and i also started experiencing media difficulties first.


Quote:




"Well first thin was, i couldn't get office live update to install. and then next problem(1 day ltr) I was trying to get some songs off my friends iPod ant it wouldn't let me. so i went to see if there was any up dates, and there was so i made sure they were compatible and i installed them. and then it still wouldn't work so i just went to the int. and downloaded some. while doing so i installed a flash player and Codec Pack - All In 1; cause my wynamp and windows media player wouldn't play some of them. and so forth. now i have two net frameworks 3.5 and programs hang, stop, and shut down unexpectedly.. But just so you know my sons dad was on the comp off and on for 3 days, and only god knows what he downloaded he thinks he knows his stuff. And although this isn't all I hope this will help you understand.
I am worried about a Trojan downloader or virus (last week I had one get blocked by mcafee)
I also haven't been able to locate drivers or completely uninstall things or open half of my files. Oh and i have limited administrative access and i am the main user. To anyone that reads this i am hoping you might be able to help me, any and all suggestions are welcome."

... Read more

1 more replies
Relevance 59.45%

I'm new to this site, and I read through this topic seeing gringo_pr helping ecmwin7 with his issue and was very impressed with how he went about it.
 
My grandmother asked me to help her with her computer, said it was running slow, popups everywhere, the usual signs of adware infection, so I told her I'd take a look at it. I started to uninstall some toolbars including KnowTheBible, and a few others, before I found DefaultTab. I looked up what this was and found this site, and I felt overwhelmed because I don't know what to do.
 
I feel comfortable using computers, and I feel like I'm above average when using them, but I'm also very safe and keep my own laptop clean at all times, almost never run into issues. I feel helpless with the amount of junk that is on her computer, and I really would appreciate having some help.
 
I already started uninstalling stuff, but I don't want to go any further on my own. I don't want to make it any worse or more difficult to clean. If someone could assist me I'd greatly appreciate the help and thank you so much for giving me some of your time to assist me, it would mean so much to me.
 
I'm going to need help cleaning the toolbars, adware, malware, viruses, trojans, etc, from her computer, but I'll also need help after cleaning it on how to protect her computer from something like this in the future. She doesn't know how to use a computer safely, she has grandchildren that like to get on and mess around, etc. All I know w... Read more

Answer:DefaultTab, MyWebSearch, KnowTheBible toolbar, possibly more adware or worse

Hello Britain,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.  If you do not understand any step(s) provided, please do not hesitate to ask before continuing.  Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.  Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.  I will be analyzing your log. I will get back to you with instructions.   1.Download AdwCleanerDouble click on AdwCleaner.exe to run the tool.***Note: Windows Vista and Windows 7 users:Right click in the adwCleaner.exe and select Click the Delete button.A logfile will automatically open after the scan has finished.Please post the content of t... Read more

6 more replies
Relevance 59.45%

Hello and thanks for your time and help in advance... My wife was on Facebook on my school laptop and got hit with a Trojan complex. I am farely computer savy and ran the laptop in safe mode and ran Malwarebytes, it found and removed 8 things, I have the original log and will post it. When I restated in normal mode, I reinstalled symantec endpoint protection and the active scan quarantined a trojan. Also, as requested, I will attach the dds.txt and attach.zip logs from dds.scr. I also have a hijackthis log that I will attach if you need that as well. Once I had run Malwarebytes in safe mode, I also installed and ran Spybot S&D, unhide.exe(all my shortcuts from the desktop were made hidden, and all shortcuts within folders on the start menu are still gone, unlike the destop shortcuts after running unhide.exe...it also fixed right clicking on the desktop and choosing "next destop background". Also, right clicking on my computer and clicking "Manage" says the file is not found! I am not sure what else is screwed up but was hoping the logs and a fine computer savy buddy can help... . I will give as much info below and hope that it will be all you need, if not pleae ask:

Initial Virus attack descripton: multiple popup message boxes opened and said something like "Warning! Hard disk failure, fix now..." I immediately shutdown the computer and rebooted to safe mode and ran the above programs. I believe that the Symantec Endpoint protection... Read more

Answer:Trojan erased my start menu shortcuts and possibly worse

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427787 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 58.63%

I tried everything in my power to get rid of this virus. This the third time I've been infected with this virus. Any help will be appreciated.Logfile of HijackThis v1.99.1Scan saved at 3:55:09 PM, on 5/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16441)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\brsvc01a.exeC:\WINNT\System32\brss01a.exeC:\WINNT\system32\LEXBCES.EXEC:\WINNT\system32\spoolsv.exeC:\WINNT\system32\LEXPPS.EXEC:\WINNT\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINNT\system32\CTsvcCDA.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINNT\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.... Read more

Answer:Vundo Getting Worse

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Download KillBox,unzip/extract it to your desktop.http://download.bleepingcomputer.com/spyware/KillBox.zipStart up Killbox and place a check in 'Delete on Reboot'.In the 'Full path of file to delete' box,copy and paste:C:\WINNT\svhost.exeThen press the red button with the white cross.It will then provide a window for you to confirm the delete.Next it will ask if you now wish to reboot,select YES.Allow it to reboot.If it does'nt reboot automatically,reboot manually.****************************Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546You are well advised to remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:ViewpointViewpoint ManagerViewpoint Media PlayerThen restart your pc.****************************Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.When VundoFix re-opens,click the "Scan for Vundo" button.Once it's done scanning,click the "Remove Vundo" button.You will receive a prompt asking if you want to remove the files, click "YES".Once you click yes, your desktop will go blank as it starts removing Vundo.When completed,it will... Read more

9 more replies
Relevance 56.99%

Hi, I am in need of some help as this rootkit I have gotten has infected both of my Acer laptops. 1 Acer is a 4 G running windows 7, the other is 6 months older an Acer 3 G running windows 7. when the first laptop started acting up, i could'nt fix it & my husband bought me a brand new one, to replace it. believe it or not the new 4 G Acer got infected from my Webroot internet security CD! that;s the only way i can figure it got in the new one. I sent my 3 G Acer to a PC guy, to have Windows 7 reinstalled, as I had no disk from factory to do so. While it was out being repaired, i started my new laptop, removed McAffe which came with the PC, and tried to install Webroot internet security from a CD. I wondered if it was possible for the infection to be on the CD, (as it had been in the old PC) and asked my PC guy this. He assured me that Webroot and other software companies have fail safes on their programs for this. needless to say, he was WRONG. My 4 G Acer is now showing the same symptoms. Every time I boot my PC my file sharing and network discovery settings have changed! I have to manually go and change them back to no file sharing. whatever infection I have is taking ownership of my files, alot of files are becoming ACCESS DENIED. I tried researching all the symptoms, and so far it seems to be a bad rootkit, maybe a kernel rootkit. my symptoms resemble the terror rootkit or Vundo? From what I've read this infection is so bad it actually creates a clone on you... Read more

More replies
Relevance 56.17%

PLEASE Help Me!
I contracted the trojan.vundo virus and have tried to use pocudures in this forum and others to remove. I have not been successful. I have tried VundoFix, VirtumundoBeGone, Adware, Spybot, and Spysweeper. I have gone into Safe Mode before running and installing these. Spybot said that it clean the virus, but I am still getting the Symatec AntiVirus Notification window that I still have the Trojan.Vundo virus. Symantec recognizes it, but cannot quarrantine or clean it. The virus file location is C:\WINDOWS\system32\vtsqp.dll. I have been using Symantec for several years with no problems, but now it does not automatically load.

On top of all that, by running AdAware and Spybot, I have rendered other desktop icons unusable.

Please help me! I thought I could fix this, but obviously not. I appreciate some expert help. I can follow instructions - I promise. Thanks in advance.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:45 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\C... Read more

Answer:Cant remove Trojan.Vundo, now I've made it worse, HJT log incuded

bump
Update - My desktop is back in business. I deleted the downloaded VundoFix, VirtumundoBeGone and spysweeper. I removed and reinstalled symantec. it found a few things and cleaned two of them. Still running slow and still getting picked up by symantec. 2 could not be cleaned or quarrantined.
- trojan.vundo
- w32.trats!inf

Happy to post new HJT log. I appreciate a response! Thank you in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:10 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Sony\VAIO Media... Read more

1 more replies
Relevance 55.76%

Hi everyone,
My bottom fan on my PC was being very loud, so I opened up my case and unplugged the power supply, and flicked off the power switch on the back. I unscrewed the bottom fan and dusted it a little bit, and then I put it back together how it was before.

The part that I unscrewed also contained my hard drive, and now that it is reseated I cannot boot.


At first I got an error when booting:
Loading operating system . . .
disk boot failure, insert system disk and press enter.

THEN, I tried making sure everything was connected well and tight, and now I am not getting anything displayed on my screen.

Apologies for the lack of knowledge and thanks for the help.

Jeremy
 

Answer:Boot problem, getting worse and worse

It is possible that when you removed the fan and hard drive, you plugged the hard drives SATA cable into a different SATA port on the motherboard. Get into the bios, and make sure that the hard drive is being detected properly
 

1 more replies
Relevance 53.3%

Hi,

Computer was infected by opening mail attachment. It is Windows XP Professional, sp2. At that point, Symantec Endpoint was installed, but license expired and it was not updated for some time. Part of the infection/manifestations was removed by Symantec (tray balloon saying that computer was infected). After restart, regular Vundo symtoms - black background with flashing script. Kaspersky 6.0 was deployed, fixing some of the issues, but chkdisk.dll and similar remained. Kaspersky is partly disabled/malfunctioning, Internet is inaccesible (network works). Malwarebyte's Anti-Malware fixed a lot, but still there is the registry line with userinit.exe that is present in every Malwarebyte's scan. VundoFix haven't found anything. I am very certain that there is still something left, beside the registry key, Kaspersky is still malfunctioning and Internet not accessible.

Here is the DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 10:07:58.07 on Tue 04/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.599 [GMT 2:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated)
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.e... Read more

Answer:Vundo and possibly something else

Just an update:
with newest virus definitions, Kaspersky found one virus in user's Temp folder:

Trojan-Dropper.Win32.Wlord.qx

After it was deleted and computer restarted, Kaspersky found nothing else. Problems with Kaspersky and Internet still exist.

Best regards,
BrG

5 more replies
Relevance 53.3%

First and fore most I would not let my pc get this infected. This is my sister-in-laws pc. I ran AVG anti-virus, Spybot, Adaware 2007 and tried to run SAS. They all detected the cws and vundo and quite a few other trojan downloaders and dialers. The bad part is that neither program I got to run (all but SAS) either would not delete it or it wold reappear after a reboot. Also I could not get CWShedder or Vundofix to run. I can get SAS stated but it gives me a blue screen of death during the memory scan every time I run it. I cannot get HijackThis to run at all, but I did get DSS to run. I am unaware of how up to date AVG, Spybot and Adaware are but SAS is fully updated. I know I am supposed to uninstall all P2P programs but that is part of my problem as well. I cannot get them to uninstall. Thanks in advance.DSS main logDeckard's System Scanner v20071014.68Run by ANDY on 2008-07-17 22:25:58Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-07-18 02:26:01 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.Total Physical Memory: 511 MiB (512 MiB recommended).-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2008-07-17 22:27:59Plat... Read more

Answer:Cws, Vundo And Possibly Many More

Hello, and welcome to the forum.My name is Simon V., and I'll be glad to help you with your computer problems.Please download and install CCleaner.Open CCleaner. On the Windows tab, leave the default options alone.On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.Click on the Run Cleaner button at the bottom right hand corner.When the cleaner has completed, click Tools in the Left Pane.Verify that Uninstall is highlighted in color, or click on it. In the lower right, click Save to Text File. Pull down the arrow at the top of the Save dialog and choose Desktop as the location. You can leave the filename as install.txt. Click Save, then exit Ccleaner.__________________Please visit this webpage for download links, and instructions for running ComboFix -http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says -The Recovery Console was successfully installed.Please continue as follows -Close/Disable all anti-virus and anti-malware programs so they do not in... Read more

14 more replies
Relevance 53.3%

My friend asked me to fix his computer, and I've pretty much never seen something in such bad shape. It is running Windows XP Home SP2.

I can't boot into Windows normally. After logging in, Windows just hangs. I have tried manually starting explorer.exe via the Task Manager, but that doesn't do anything either. When I boot into Safe Mood, the same thing happens, but I am able to start explorer.exe from the Task Manager.

I also get the attached error whenever I try to do a lot of things system related (ie. access the control panel, change system settings):
In the title it says rundll32.exe - Application Error
In the message it says "The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.

I've done some research on this, and a lot of the forums I read all lead me to the Vundo virus. Upon further research I found this is one of the hardest viruses to remove.

I have tried to take the initial 5 steps posted as a sticky in this forum, however I was unable to do several of them:

1. I cannot access the Add/Remove Programs. When I click on it I get the above mentioned rundll32.exe error.

2. Internet Explorer goes to a blank page everytime I try to start the scan.

3. I successfully installed Sypware Blaster and loaded the restricted sites thru IE-Spyad.

4. I can't run Windows Update because I'm in Safe Mode and the service is not started.

5. Posted below is my HijackThis log.

Logfile of Trend Micr... Read more

Answer:Can't do much of anything... possibly Vundo?

OK after waiting a while I was able to boot regularly into XP. However, I had to start explorer.exe via the Task Manager. I ran HijackThis and below are the results.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:07 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointServi... Read more

3 more replies
Relevance 53.3%

I have used Used Spybot S&D, Malwarebytes, McAffe, AVG and they have all found up to 18 instances of Vundo and some other random spyware (forgot the names) My main problem is Vundo. They always say they have fixed the problems by deleting or cleaning the files, but when another scan is done the files are found again.

DDS (Ver_09-01-18.01) - NTFSx86
Run by Chuck1 at 10:57:16.82 on Mon 01/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1492 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\GIGABYTE\Common\GNConfig.exe
svchost.exe
C:\Program Files�... Read more

Answer:Vundo and possibly others

Hello Chuck Lynch and welcome to Bleeping Computer,1. Please download GooredFix and save it to your Desktop.Select "2. Fix Goored" by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.2. Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.Double click the ComboFix icon to run it.If ComboFix askes you to install the Recovery Console, please do so..The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.Once the Recovery Console is installed, continue with the malware scan.Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. If you have any questions along the way, STOP and ask them before proce... Read more

1 more replies
Relevance 53.3%

I had multiple infections from a web page which happened on the 5th - the sagipsul.com pop-ups, frmwrk32.exe, real-av.org pop-ups, Virtumonde, Vundo, Malware.Trace and god knows what else. I tried Search and Destroy, Super Anti-spyware and Malwarebytes, which finally did the best job in getting rid of most of the problems. But there's a couple remaining problems that won't go away. Malware.Trace and Vundo were found again by Malwarebytes. On Firefox, I'm still getting pop-ups from hxxp://70.38.98.32/red.php?lid=... and hxxp://82.98.235.113/dot.gif/?ver=...Occasionally an ad page will manage to load, but mostly they are failed blank pages. It keeps turning off the option in Firefox to block pop-ups. Malware.Trace and Vundo were found again by Malwarebytes.I use Adblock Plus on Firefox and also have Protowall IP blocker, so I can see when my computer tries sending packets to those IPs. Here's my DDS log...DDS (Version 1.1.0) - NTFSx86 Run by Amy at 16:01:40.32 on Fri 01/09/2009Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1090 [GMT -8:00]AV: McAfee VirusScan *On-access scanning enabled* (Updated)FW: McAfee Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WIN... Read more

Answer:Vundo and possibly others

Hello Amy79 and welcome to Bleeping Computer,1. Please download GooredFix and save it to your Desktop.Select "2. Fix Goored" by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.2. Please download ComboFix from one of the locations below, and save it to your Desktop.LinkLinkLinkDouble click the ComboFix icon to run it.If ComboFix askes you to install the Recovery Console, please do so..The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.Once the Recovery Console is installed, continue with the malware scan.Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. If you have any questions along the way, STOP and ask them before proceeding !!Greetings,Thunder

11 more replies
Relevance 53.3%

Hi,I was wondering if someone can help me with this problem? The other day I started getting random pop-ups and so I did my usual thing: run Ad-Aware, run HijackThis, rooting through my windows/system32 file to try to see if there were any weird-looking .exe or .dll files that are sitting in there. What I usually do is just run a check against anything I don't recognize through Google to see if it's legit or something weird. This time around, I got a bunch of seemingly random named files that don't show up on Google at all, but are always marked as "DLL Running" in HijackThis. HijackThis doesn't seem to do much to the file and I have been using Dr Delete to get rid of it (if I just try to delete it regularily, Windows tells me that some application is using the file so I can't delete it). I thought I got rid of the problem and that was two days ago? I'm still getting pop-ups. If I don't touch it usually, I'll get a pop-up every hour or so, and that's it? The annoyingest thing though, is that I can't leave my computer on standby because it seems that whenever a pop-up decides to go up, my computer will just go out of Sleep Mode just to accomodate said annoying pop-up. Since then I've done more research on it and I think it's Vundo, and VundoFix seems to do stuff for it but never gets rid of the problem. It targets some of the files that I can see in system32, but not all of them, so I am wondering if there is ... Read more

Answer:Pop-ups, Possibly Vundo?

http://smileygenerator.us/smileyletters/image.php?s=WELCOME%20TO%20BC&ext=.gifTry this : Download and scan with SUPERAntiSypware Free for Home Users * Double-click SUPERAntiSypware.exe and use the default settings for installation. * An icon will be created on your desktop. Double-click that icon to launch the program. * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) * When done, select "Scan for Harmful Software". * There are three scanning options. Choose "Perform Complete Scan" and click "Next". * When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK". * Make sure they all have a checkmark next to them and click "Next". * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. * Click Preferences and then click the statistics/logs tab. * Click the dated log and press View log. A text file will appear so you can see the results. * Select close to exit the program. * Scan in SAFE MODE

2 more replies
Relevance 53.3%
Question: Possibly Vundo?

I've been assigned to fix a computer for a friend, and so far, I've narrowed down a list of problems. I brought it home to continue, but now none of the mouses I use will register. Then there's the other problems.

It's split into 3 accounts, 2 have these problems-
Can't drag/drop/cut/paste/delete icons or folders.
Background and taskbar vanishes on startup. (Solved with starting a new explorer.exe)
No internet
hijackthis can't run
Runs very slowly.

I recall dealing with something similar before, I think it was Vundo, but I'm not too sure. Can anyone help me with this?

Answer:Possibly Vundo?

We recommend that you read this article? "IMPORTANT - 5 Step Process: Read This Before Posting For Malware Removal Help"; follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the HiJackThis Log Help Forum.
(Simply, click on the coloured links to be re-directed.)

Please ensure that you create a new thread in the HiJackThis Log Help Forum; not back here in this one.

When carrying out The 5 Steps, if you cannot complete any of them for whatever reason, just continue on with the next one until they are all completed.
However,it is extremely important to make mention of the fact that you could not complete any of the steps in your post to The HJT Help Forum; where an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

After your system has been verified as clean, if your are still experiencing those problems come back here and we will assist you further.

4 more replies
Relevance 53.3%
Question: Possibly Vundo

I've been working to fix and update a machine for a friend, and its having some serious problems. Killed a bunch of malware on it with Avast and Malwarebytes but theres still something lurking on the system. Windows Firewall doesn't start as long as the system is logged onto the internet, it can't connect to Windows Update or Windows Defender update, and it periodically has trouble with online email. It also redirects just about every google or bing search to another website, usually some scam about finding a new job or virus fixes. Svchost.exe also climbs through the roof on memory, typically 50-150K, and I have to disable that manually to get the system to restart most of the time. Thanks for the help.Logfile of Trend Micro HijackThis v2.0.4Scan saved at 12:28:36 AM, on 7/1/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.17023)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Hewlett-Packard\HP Soft... Read more

Answer:Possibly Vundo

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.I order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is ... Read more

3 more replies
Relevance 53.3%
Question: Possibly Vundo?

Ran all of your run me first programs except Panda, reason being every time I open windows explorer I get bombarded with viruses and re directs. Most are caught by Norton anti virus, some are not. The ones I've noticed are Vundo, downloader, drive cleaner.
I was able to run spy bot in safe mode. Couter spy and ccleaner I had to run in normal boot mode.
Also when I try to run firefox browser Windows Explorer opens with various windows for virus or spyware removal tools.
 

Answer:Possibly Vundo?

other logs
 

31 more replies
Relevance 53.3%

Here's my nasty time consumer
Regular pop-ups with mcafee, mostly Vundo. Today started the occasional newwin32. Some I was able to quarantine, others I couldn't. Ran many online scans.

Activescan results

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Curt\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/MyWay Not disinfected C:\Config.Msi\11b6709.rbf
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix\SmitfraudFix\Proce... Read more

Answer:Vundo and possibly others

Here's a few pop-ups Mcafee found recently

lo1[1]
ddcyy.dll
awvvs.dll
awtss.dll
brskncys.dll
jkhhf.dll - common recurring
above were recognized as vundo

exploit.bmp trojan
XG9.exe

some other incidents popped up as malformed archive trojan

17 more replies
Relevance 53.3%
Question: Possibly vundo?

Hello everyone, I'm new to these forums and this is my first post. [I did read the rules before posting btw.] My problem first started I believed when I was just browsing the internet. I didn't have Avast or any kind of anti-virus software, first mistake. A pop up appeared in firefox and it froze everything. I tried to exit it after awhile and then firefox asked if I wanted to save my session, as if it was trying to exit. I had not even pressed the exit button yet and then all of a sudden, poof, the program ended. Then my notepad asked if I wanted to save it, before I could do anything, same thing. My computer turned off automatically. Restarted it back up, things were going noticeably slower and now when I try to put my laptop on standby it stalls on "Preparing to Standby". I used Malware-Bytes and it found nothing. I downloaded the full pro version of avast and it found a couple trojans and some vundo. Moved it to the chest and deleted, restarted the computer and still can't use standby. Use vundofix but it found nothing. So please help me out here, I am far from a techie/computer expert so I'm afraid I need some guidance.

Here's my HijackThis Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:21 PM, on 4/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system... Read more

Answer:Possibly vundo?

6 more replies
Relevance 53.3%

im getting pop ups and spyware alerts similar to what i remember of when i had the Vundo virus earlier in the year... heres an HJT log does this look like im right? im thinking its the mllmn.dll and ddaya.dll files that are the bad guys.
Thanks in advance.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lospo\Desktop\HijackThis Trojan Remover\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\sys... Read more

Answer:an HJT log possibly Vundo again

10 more replies
Relevance 52.89%

This is my friend's computer and there's quite a few infections on it. AVG Free picked up about 26 trojan infections about seven minutes after starting the scan. So far there's no more from what I've scanned. Ad-Aware picked up a couple of spyware infections as well.

But I think there's a Vundo infection too; there's the red X as the C: drive icon as well as the thousands of tmp files in the root of the C: and the My Documents folder. It also has the thousands of randomly named .dll files. There is also two icons on the desktop named "Help and Support Center" and "Windows Update" which lead to a url for Storage Protector.

There's a third icon that says "Internet Security Suite" that leads to:

Code:
http://ad.outerinfoads.com/reficon?bid=4047&pid=1600&oid=5&fid=99001281
I'm not sure if the above URL has to do with Vundo, though.

Anyway it would be great if you guys could help me with removing Vundo. Last time I did it with my other friend's computer I got rid of it successfully but it did quite carelessly without a HJT pro's help. I know the infection and could probably get rid of it myself with the Combofix or the Vundofix but I'd rather not do it without your guys' direction. Thanks.

On other note, is there a better free anti-virus than AVG? Should I replace AVG with another one or is it fine?

Now for the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:30 PM, on 2/24/2008
Platform: Windo... Read more

More replies
Relevance 52.89%

I discovered one day while browsing that suddenly I'm getting tons of pop-up windows out of the blue so I check my pop-up blocker. It's intact and seems to be functioning, so after checking all my firewalls and anti-virus I discover (to my absolute horror, mind you) that my husband has for some strange and unknown reason disconnected my computer from our network and decided to connect it directly to the cable and go on a browsing spree...unprotected.../bangsheadondesk...repeatedly.

Since then I've run McAfee, Windows OneCare & Defender; discovering in the process that whatever virus it is continuously disables those defenses as well as automatic updates. Did some more digging and uninstalled all of those in favor of Kapersky Internet Security 8.0, which has been very helpful in identifying that I seem to have more than one virus; i.e Vundo, Virtumonde, MS Juan, Win32.generic, and a host of others. (Yay me! /sigh) As per a post I read here while searching for help, I've installed and run HJT, Malwarebytes and ComboFix is installed for when it's needed. Per the prep guide before posting I've also run the DDS tool and have the logs to post below this.

I mostly use this computer for my writing, research, web browsing and mmorpgs I play (WoW, FFXI) but this is driving me insane, any and all help with cleaning this mess up would be greatly appreciated. Games I can always reinstall and update but research and my novels are a different matter, can't afford to lose ... Read more

Answer:Infected with Vundo, possibly others

Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**If you are using Firefox, make sure that your download settings are as follows:Tools->Options->Main tabSet to "Always ask me where to Save the files".During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.Please do not rename Combofix to other names, but only to the one indicated.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------Close any open browsers.WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has compl... Read more

9 more replies
Relevance 52.89%

(This is a repost as I was instructed, though dds will not function. A dos window pops up and says exactly this, and does nothing:"'dds.cmd' is not recognized as an internal or external command, operable program or batch file. C:\WINDOWS\system32>" I have simply copied and pasted my old post with the original hijack this report. I need some help before this thing shuts my system down, which I fear is quite possible.)My computer has been running slowly for a few months now, bogging way down when I run any program, and I'm sure it's some kind of malware. I can't get rid of it with any program, Spybot, Ad-Aware, Malwarebites, AVG, Doctorweb, Superantispyware, etc. So whatever.Now I recently got this "Your computer is infected! Windows has detected spyware infection..." little [email protected] pop-up, with a little red X in my clicklaunch buttons. I know it's some kind of trojan, and I can't get rid of it! I'm sure there's tons wrong with my system, but this one just has to go. I know it's associated with brastia.exe, but I've got to find a way to get rid of it all and make it stays gone!This is where I need help. Can someone please have a look at my HighjackThis report? I've used the auto-analyzer on HighjackThis.de, but it doesn't recognize everything, and I'd like to get rid of the years of neglected problems and be sure it's done right. And can anyone suggest a program specifically known to remove brastia.exe and associated files?P.S. I thi... Read more

Answer:possibly vundo, with little red X and pop-up window

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

67 more replies
Relevance 52.89%

Ok. I have had this virus on my computer for some time now and I cant seem to get rid of it. I have downloaded many tools and removal programs but none have seen to work. The file where the virus is cant be deleted for some reason. I believe its some kind od adware because popups constantly interfere with my net surfing. Can anyone please help me?????

Answer:Trojan Vundo B possibly? Need Help!!!!

Hello and welcome to TSF.

Please follow our 5 Step process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 52.89%

I have done many scans on many programs (AdAware, AVG Free 8.0, ClamWin AntiVirus) and most have said that I have Vundo. I also did a scan on VundoFix but it did not find anything. I also did VitrumondoBeGone and it said that there was nothing either. I know that I still have an infection because I keep getting pop-ups about a Registry Cleaner and etc. on IE even though I am on Mozilla Firefox (which is also my default browser).Here are the requested logs:Deckard's System Scanner v20071014.68Run by Administrator on 2008-08-03 21:15:22Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --12: 2008-08-04 02:16:47 UTC - RP360 - Deckard's System Scanner Restore Point11: 2008-08-03 19:54:42 UTC - RP359 - Installed iTunes10: 2008-08-02 23:00:27 UTC - RP358 - Installed Ad-Aware9: 2008-08-01 17:09:47 UTC - RP357 - Installed AVG Free 8.08: 2008-07-31 20:29:21 UTC - RP356 - Restore Operation-- First Restore Point -- 1: 2008-07-31 18:32:10 UTC - RP349 - Removed MapleStory.Backed up registry hives.Performed disk cleanup.Percentage of Memory in Use: 86% (more than 75%).Total Physical Memory: 128 MiB (512 MiB recommended).-- HijackThis (run as Administrator.exe) ---------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:24:19 PM, on 8/... Read more

Answer:Vundo Infection Or Possibly Something Else

Hello fofomazuzu, Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish, so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly. If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

10 more replies
Relevance 52.89%

Have been trying to fix this on my own for about 3 days, Have got rid of some problems but still have a few. Spybot cant remove the virtumonde.dll even when you let it run at restart. I have ad-aware se and can not get ad-aware 2007 or the stinger program to download and work, i get an error message saying "not a valid win32 application" when trying to install them. I am getting several pop-ups and hangups in most applications. Also get the "connect to the internet or work offline" box when starting the computer, occasional warning messages about being redirected to another site while just sitting still on one site, housecall for example while scanning. Housecall also found and removed several problems but did not find virtumonde. Here is a HJT log. Thanks in advance, and will wait for your reply.EDIT -- Had to come back with a new HJT log as I had a previous version of HJT and after I downloaded and ran the new one, Norton popped up saying I had a vundo infection as well. Something keeps stealing the focus from IE but nothing pops up half the time, just acts like you clicked outside of the IE page and you have to click it again. So something is definately working in the background. Heres the latest HJT log. Again, Thank you.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:45:14 AM, on 2/7/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32&#... Read more

Answer:Virtumonde.dll, Vundo And Possibly More

Welcome to the BleepingComputer HijackThis Logs and Analysis forum 94z28inokMy name is Richie and i'll be helping you to fix your problems.The current formatting of your log makes it difficult to read/evaluate.Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.If you have previously downloaded ComboFix,please delete that version now.WarningYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use. Now download Combofix by sUBs and save to your desktop.Alternative Combofix download link HERE.Note It is important that it is saved directly to your desktopDo not run it just yet.Now please go here and follow the instructions to install the Recovery Console:http://www.bleepingcomputer.com/combofix/how-to-use-combofix Now close any open browsers.Double click on Combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note Do not mouseclick combofix's window or do anything else on your pc while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.NoteIn case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.Some scanner... Read more

5 more replies
Relevance 52.89%

Machine is a HP Compaq dc5100
Intel(R)
Pentium(R) 4 CPU 2.80GHz
2.79 GHz, 1.99 GB of RAM

Windows XP Pro Service Pack 3.

Boots into windows fine..

But get pop ups in IE explorer telling me that the pc is infected.. these are not from the current anti virus program which is AVG..
It appears in the screen that it is scanning the files to serach for the virus..
Also when i click on a link most of the time it doent bring me to the desired location but to another site..

I ran Spy Bot Search and destroy which said it has removed various trojans but it seems to keep coming back..

Utorrent was installed on the machine but has been uninstalled and if any content was downloaded it has been deleted.

In msconfig there are a few entries i dont recognise these are listed below:

pularewi - rundll32.exe"C:\WINDOWS\system32\pularewi.dll",b

janufini - Rundll32.exe"c:\windows\system32\janufini.dll",a

wokufime - rundll32.exe"C:\WINDOWS\system32\wokufime.dll",s

-----------------------------------------------------------------------
So all in all..
-Lots of pop ups
-Misleading links (directed to another site)
-AVG errors cant seem to deal with the trojan .. just finds it over and over again
-& entries in start up i dont recognise.

-----------------------------------------------------------------------
Currently installed protection is AVG Free 8.5 and spybot serach and destroy

below is the log request and the further... Read more

Answer:Vundo.GU Trojan & possibly others

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
If TeaTimer gives you a warning that changes were made, click the "Allow Cha... Read more

2 more replies
Relevance 52.89%

I started getting virus/malware notices from AVG8.0 last week. I've tried all of the tools below, and all had a similar result. The virus would be found and removed, but would come back usually within 30 minutes. Sometimes it would come back after a reboot, sometimes it would come back after browsing (this site and hotmail) for a few minutes. Sometimes consecutive scans would not find the virus, then trying another tool would find it.

I've tried:
-----------
AVG 8.0
AVG 9.0
Adaware
MalwareBytes (Free Version)
VundoFix
SpywareBlaster
PC Tools Internet Security (Currently on 15-day Trial)

I also tried to boot into safemode, but Windows crashes (blue screen) before the windows splash screen loads. I tried with and without networking. I've had different combinations of the programs listed above installed simultaneously, but for the past 24 hours I've had only PC Tools and MalwareBytes installed. I've run both of these programs in Full Scan mode several times.

The identified malware has varied. I've seen numerous randomly named .dll's. I've seen Trojan Horse Generic15.ACRY (or something close to that. I've seen umonde\c. I've seen Vundo, Vundo.H, Vundo.II and others. Most recently I saw RegistryDefender.

Logs are attached below. I will really appreciate any help resolving this. Please let me know what additional information you need.

Thanks in advance.
DDS (Ver_09-10-26.01) - NTFSx86
Run by Aimee at 17:30:05.50 on Mon 11/02/2009
Internet Explorer: 8.0.6... Read more

Answer:Infected w/ Vundo and possibly others

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

11 more replies
Relevance 52.89%

I am having an issue with some sort of pop-up malware. I've come across a couple of posts that list some of the files that keep poping up as potential files associated with the vundo virus. I downloaded a vundo fix program but it does not seem to help. I can clean the issue up, but as soon as I reboot it starts all over again.I have used multiple scanning and cleaning tools and nothing seems to work. I also seem to have something that is using up a lot of my processors availability, it may be one and the same issue. I have security task manager which has shown that TMListen is one of the processor hogs. According to the listing in security task manager it is part of my anti-virus program but when I quarantine the TMListen my processor issues improve dramatically. If you need any further information please let me know.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:55:19 PM, on 3/11/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Progra... Read more

Answer:Infected With Ad Pop-up Possibly Vundo

Hello jlegnosky,Welcome to Bleeping Computer I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:1) Run Spybot-S&D2) Go to the Mode menu, and make sure "Advanced Mode" is selected3) On the left hand side, choose Tools -> Resident4) Uncheck "Resident TeaTimer" and OK any promptsYou can reenable TeaTimer once your system is clean.This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

15 more replies
Relevance 52.89%

This virus was caught by AVG, and I want to believe that Spybot S&D stopped the registry changes, but I'm not sure. Using AVG and Avira haven't gotten rid of it, despite moving it "to the virus vault".

Here are my DDS logs. I attempted to run RootRepeal, but after 8 tries so far, I haven't gotten a report. The computer freezes up almost entirely, with movements of the mouse suddenly being registered all at once every 10 minutes or so. The longest I've gone with it running is 90 minutes and that ended with the Bluescreen.

So far, the virus hasn't seemed to affect functionality, other than throwing up a few new windows full of ads in Firefox. This, of course, makes me suspicious that it's simply doing things that I can't see and I don't want my passwords or anything heading down to anyone else. I've refrained from logging in to most things, especially my online banking.

Any help would be much appreciated. Thanks!

EDIT TO ADD: I ran AVG one more time, just to make sure it was still there. At the exact same moment, AVG and Avira popped up about "C:\WINDOWS\system32\kewowupa.exe". Avira says "TR/Crypt.ZPACK.Gen Trojan" and AVG says "Generic14.AZYX".

DDS (Ver_09-07-30.01) - NTFSx86
Run by Crash at 23:49:35.09 on Sat 09/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1384 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access s... Read more

Answer:Infected by Vundo and possibly more

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.??If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine.??Please perform the following scan:Download DDS by sUBs from one of the following links.??Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool.??No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 52.89%

I'm pretty sure that's the problem. I run VundoFix and delete what it finds, but it keeps coming back! And I don't even want to think about how many other problems there must be on there. Please help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:56 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\L... Read more

Answer:Solved: Possibly Vundo

9 more replies
Relevance 52.89%

I have run malware bytes, a squared, and super anti spyware with no luck fully removing the infection. I had the Comodo firewall but removed it recently and wouldn't you know it I got infected

Any help is greatly appreciated
DDS (Ver_09-10-13.01) - NTFSx86
Run by Alex at 18:32:05.48 on Wed 10/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1200 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\system32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
D:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\a-squared Free\a2service.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAf... Read more

Answer:Vundo infection ... possibly others as well

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 52.89%

Yep, I downloaded a nice little DJ program off PB which had a bunch of nasties when I ran the installer. I had the red 'x', the random file names popping up in my tray as "corrupt, plz use chkdsk utility." Also, it redirects me to random sites, I get random ad popups, and I am denied access to certain sites (including this one) unless I go behind proxy, which I am currently doing. Here is my RSIT output logs, with 'log' first and 'info' second. Thanks guys. (PS: I always check out my files before I dl them, this one had no issues reported on the bay, so I was surprised to say the least)Logfile of random's system information tool 1.04 (written by random/random)Run by Ty at 2008-12-04 14:19:10Microsoft Windows XP Home Edition Service Pack 3System drive C: has 4 GB (16%) free of 27 GBTotal RAM: 1006 MB (66% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:19:15 PM, on 12/4/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:WINDOWSSystem32smss.exeC:WINDOWSsystem32winlogon.exeC:WINDOWSsystem32services.exeC:WINDOWSsystem32lsass.exeC:WINDOWSsystem32svchost.exeC:WINDOWSSystem32svchost.exeC:WINDOWSsystem32spoolsv.exeC:WINDOWSExplorer.EXEC:WINDOWSsystem32ctfmon.exeC:Program FilesInternet Exploreriexplore.exeC:Documents and SettingsTyDesktopRSIT.exeC:Program FilesTrend MicroHijackThisTy.exeR0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://google.comR1 - HKCUSoftwareMicr... Read more

Answer:Trojan - Vundo, possibly more

Hi MBA_Ty,Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Azureus, LimeWire, BitTorrent, eMule). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."Removal InstructionsNote: The logs are all missing the \ separator and not readable. Lets try this:When the first log opens go to Format menu and make sure Wordwrap is Unchecked.Go to Edit -> Select All.....Edit -> Copy Then log into this thread by using the Add Reply a... Read more

14 more replies
Relevance 52.89%

I have what seems to be a persistent malware/rootkit infection on my PC which is running Windows XP. When I initially contracted it, both Avast! and MalwareBytes detected several files infected with what they classified as rootkit infections. Currently Avast! does not detect any remaining infections, but a scan by MalwareBytes consistently reports the following two infections: "Trojan.Vundo", classified as "Registry Value" and located at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iopefohesu", and "Disabled.SecurityCenter", classified as "Registry Data" and located at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify". MalwareBytes then states that it needs to reboot the computer in order to remove these infections, but after it does so, those infections are still present when I run the same scan again. Additionally, my computer has now begun to exhibit a sharp decline in processing speed within 5 to 15 minutes after reboot, rendering it essentially inoperable. I have frequently had to manually restart the computer due to this issue while attempting to run scans and/or access this site. I have read and followed the instructions detailed here, although I have been interrupted during this process by the performance and rebooting issues I describe above, and attempted to restart the process from scratch a couple of times before realizing that I wasn't likely to get all the way through it without having to stop and reboot. Be... Read more

Answer:Infected by Vundo(?), possibly more

Hello and and Welcome to BleepingcomputerPlease note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have sinceresolved your issues I would appreciate if you would let me no so I can close this topic.Please download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.When finished, it wi... Read more

22 more replies
Relevance 52.89%

Not sure how to handle this problem, it's causing multiple pop-ups and even causing random BSOD.I tried adaware and spybot-s&d, but both seem to freeze up during the process,and won't work in safe mode. Tried Malwarebytes and it cleaned up a few problems but the VUNDO. H seems to keep coming back.Im sure i have other problems as well, Please i need an expert opinion any help would be appreciated thanks!Included is a hijackthis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:39:12 AM, on 12/30/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\LTMSG.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\HP\KBD\KBD.EXEC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Google\Com... Read more

Answer:VUNDO.H infection/possibly others!

texjimPlease download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.

18 more replies
Relevance 52.89%

DDS (Ver_09-05-14.01) - NTFSx86
Run by Derek at 15:44:57.31 on Mon 05/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2167 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\vsnp2std.exe
C:\Program ... Read more

Answer:Virus Help! Possibly Vundo?

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.-----------------------------------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, ... Read more

2 more replies
Relevance 52.89%

This is my first post so I'll try to keep it short. I've managed to get Vundo through a bad .exe off the internet and based on what I've read about Vundo on other posts on this website, this may be a new strand. I've noticed the BHO it installs and the 5 letter random named dll it puts in the system32 folder (Mcafee catches that). When it came first, my scanner pulled Vundo up as css[#], that being the filename with a random number inside. I found a couple of these which were in my Temporary Internet Files folder. Then it downloaded several other trojans or harmful files. Included was a a.exe, which I wasn't sure what it was as my log doesn't show it but file manager showed it, a b.exe which downloaded as two files, one being named 17pholmes1188.exe, listed as generic downloader.k in my WINDOWS folder, and 17pholmes[1].cmt, in my T.I.F. folder. Then a Backdoor-CVT was downloaded as win.exe and win[1].exe. My virusscanner soon deleted all of those but the css[#] which I'm having problems with. The reason I listed new strand was because it seems that the css file copies two copies of svchost.exe that's used by Windows into the WINDOWS/Fonts folder and runs different modules from them. In addition, they for some reason downloaded tons of folders with cracks in them for no reason into the font folder and I'm thinking each one contains the source trojan. On the svchost.exe's, they also open up communication with a remote host which stops onc... Read more

Answer:Help With Vundo! Possibly New Strand

Ok, I tried the both tools and they said Vundo didn't exist. I need help now removing the css file, wvuttu.dll which infected system.ini and possibly explorer.exe, the svchost.exe in the fonts folder, and also the wvuttu BHO. When I logged on today, my virusscan once again deleted 3 downladers, generic and BEC. My resident won't let me disable the wvuttu.dll or the corrupted svchost.exe as I had blacklisted them and need to know how to change that. Something also jammed up my Windows search and my notepad also. I've listed a Spybot SD log and Resident log below and could someone check it out and tell me how to kill this thing once and for all?Spybot SD Log--- Search result list ------ System information ---Windows XP (Build: 2600) Service Pack 2 / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366) / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) / Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707 / Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \nIf you later install a more recent service pack, this Security Update will be uninstalled automatically. \nFor more information, visit http://support.microsoft.com/kb/917283 / Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \nIf you later install a more recent service pack, this Security Update will be uninstalled automatically. \nFor more information, visit http://suppor... Read more

2 more replies
Relevance 52.89%

I've been getting various virus/trojan warnings since yesterday. Though I did turn the machine off after I started getting them until I had a chance to work on it today. AVG, spybot, adaware, etc all keep finding problems, but the keep coming back especially after rebooting.
DDS (Ver_09-01-19.01) - NTFSx86
Run by dan at 11:20:59.43 on Sun 01/25/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2179 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\Drive Xpert\SteelVine.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS ... Read more

Answer:Vundo trojan, possibly others

Please download Malwarebytes' Anti-Malware from HERE or HERENote: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.NEXTPlease download RSIT by random/random and save it to your Desktop.Double click on RSIT.exe to run RSITBefore you click "Continue", make sure you change the List files/folders created or modified in the last 3 monthsClick Continue at the disclaimer screen.Once it has finished, two lo... Read more

2 more replies
Relevance 52.89%

I was surfing the net and all of a sudden McAffee started giving me several virus alerts, letting me know that it had deleted files related to Vundo. I was immediately suspicious and downloaded the Vundofix tool (as well as do a scan using McAffee), however no further Vundo errors were found.

I rebooted and sure enough, Windows security center said updates were turned off (and it wouldn't let me turn them on), and when I tried out the browser, I started getting popup advertisements from anti-spyware outfits (phoney no doubt). The adverts are random new browser instances on a fairly regular basis.

I ran McAffee and Vundofix again with no luck.

I followed the instructions on this forum to create DDS.txt and ATTACH.zip (which I am including). GMER.exe output is also included.

Here is DDS.txt
================
DDS (Ver_09-02-01.01) - NTFSx86
Run by phantom at 20:50:34.07 on Sat 02/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1363 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile De... Read more

Answer:Possibly Vundo virus, but maybe not

Hi izfredx,

Step 1

Please disable McAfee Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting back the logs.

Please navigate to the system tray on the bottom right hand corner and look for a sign.

Right click on the icon and select Exit.

A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.

Step 2

Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/comb...o-use-combofix

Save it to your desktop.
Double click on ComboFix.exe & follow the prompts.

As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.



With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.... Read more

1 more replies
Relevance 52.89%

This is my friend's computer and there's quite a few infections on it. AVG Free picked up about 26 trojan infections about seven minutes after starting the scan. So far there's no more from what I've scanned. Ad-Aware picked up a couple of spyware infections as well.But I think there's a Vundo infection too; there's the red X as the C: drive icon as well as the thousands of tmp files in the root of the C: and the My Documents folder. It also has the thousands of randomly named .dll files. There is also two icons on the desktop named "Help and Support Center" and "Windows Update" which lead to a url for Storage Protector.There's a third icon that says "Internet Security Suite" that leads to:http://ad.outerinfoads.com/reficon?bid=4047&pid=1600&oid=5&fid=99001281I'm not sure if the above URL has to do with Vundo, though.Anyway it would be great if you guys could help me with removing Vundo. Last time I did it with my other friend's computer I got rid of it successfully but it did quite carelessly without a HJT pro's help. I know the infection and could probably get rid of it myself with the Combofix or the Vundofix but I'd rather not do it without your guys' direction. Thanks. On other note, is there a better free anti-virus than AVG? Should I replace AVG with another one or is it fine?Now for the HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:18:30 PM, on 2/24/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Inte... Read more

Answer:Vundo Infection + Possibly Others

Hello akiratheoni,Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to. If you have not resolved this issue and still need assistance, post a new HJT log as your system may have changed since your original post.

2 more replies
Relevance 52.07%

Here are the extent of my problems, in the order they appeared:
1a. I discover I cannot view the Task Manager Running Processes Window.
1b. Firefox crashes repeatedly
2. Google search redirects to advertising page
3. Avira Antivir (Free Version) will not update. Scan detects no problems
4. Malwarebytese will not update. Scan detects no problems
5. Spyware S&D updates. Scan detects no problems.
6. I post HiJack this log to bleepingcomputer. Am instructed to run DDS and re-post.
7. DDS will not run. I uninstall Firefox
8. Windows Defender updates, scan detects no problems.
9. Ad-Aware Updates, scan detects 3 Trojans. Trojans removed.
10. Computer re-started.
11. Problems persist (Antivirus will not update, DDS will not run, Malwarebytes will not update)
12. I discover that regedit will not open.

Note: HiJack this will run, and I can post if necessary.

Answer:Can't run DDS, myriad other problems, possibly a Vundo?

Problem solved with ComboFix

1 more replies
Relevance 52.07%

The past week and a half I've been working nearly non-stop to fix virus issues on this computer and I'm hoping that I have them all off, but my startup takes forever and the system is slow at times. The biggest problem I faced was removing the Vundo Trojan. I'm hoping I got the last of it this weekend, but now I'm worried there may be something else. Every time that I boot up my computer, just after windows has loaded and the desktop displays, I get an error message saying that the file "C:\WINDOWS\system32\pmklk.exe" cannot be found, and it appears to be needed for some program upon startup. I've researched the specific file, and it appears to have a virus background, but cannot seem to figure out which one. Below is my hijackthis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:27:05 PM, on 1/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared&... Read more

Answer:Remnants Of Trojan.vundo? Possibly Others

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

12 more replies
Relevance 52.07%

For the last five weeks I've been dealing with redirections and new window spawns from google and other search engines, and now my browser is being sent directly to some third party search engine. I'm leery of typing any information on the computer that is sensitive. I've run malwarebytes, norton, ad-aware and some other AV programs to no avail.
DDS (Ver_09-01-07.01) - NTFSx86
Run by Paul at 18:44:15.78 on Wed 01/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3049 [GMT -8:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton Internet Security\... Read more

Answer:Infected with vundo and possibly rootkit

Hello Paul918 and welcome to Bleeping Computer,1. Please download GooredFix and save it to your Desktop.Select "2. Fix Goored" by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.2. Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.Double click the ComboFix icon to run it.If ComboFix askes you to install the Recovery Console, please do so..The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.Once the Recovery Console is installed, continue with the malware scan.Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. If you have any questions along the way, STOP and ask them before proceedin... Read more

10 more replies
Relevance 52.07%

Alright. So a couple nights ago I was writing a paper for a class, and I left my internet browser up while I took a shower. I had three tabs up, one was Gmail, the other two were Peer Essay websites. I was using them for writing ideas NOT for plagiarism! lol. Anyways, back to the point. When I came back, somehow Antivirus 360 had downloaded itself, and was scanning and just doing all sorts of weird things. I then had to run a virus check with my software, and a Spybot search and destroy scan. I had hoped it would resolve the problem. But every-time I get it back down to just Vundo, it seems to recover everything else. I have Ez Trust Antivirus program, and it has detected Vundo upon startup of my Pc. But no matter how many times I run any virus scan I have tried so far (Norton, McAfee, and Ez Trust), Regardless of if my internet is connected or not, it doesn't fix the problem. Its slowing down my computer, starting popups in Firefox, and Internet Explorer. Installing random icons on my desktop, and significantly slowing down applications such as Itunes. Posted Below is my HiJackthis log and any help you can offer me is GREATLY appreciated. Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:04 PM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system... Read more

More replies
Relevance 52.07%

Hi all,

I've been fighting with this pesky problem for about 2 weeks. I first noticed the popups when using Internet Explorer. The popups were for "Winfixer." Since about a week ago, my Internet Explorer doesn't work at all. I am unable to connect to any webpage. Right now, I'm using Firefox, which seems to be working fine (no popups even). I use Spysweeper and Norton 360. Norton has picked up trojan.vundo and vundo.b -- but doesn't seem to do anything with them. I also downloaded and ran the vundo fix, and it found nothing. I'm also getting an error message when booting up that says, "Error loading C:\Windows\system32\rujgptbx.dll - The specified module could not be found." The computer is also running quite sluggish, but I guess that's to be expected when there are viruses infecting the computer, eh?

I've did all the steps in the READ & RUN ME FIRST and Vista Cleaning procedure files, with pretty much no problems except for the fact that I could not update virus definitions automatically. I had to resort to manually installing them except for Malwarebytes; I could not find anywhere to download just the definitions. I was wondering if that had something to do with my IE being disabled?

Anyhow, I've attached the logs. Any help is MUCH appreciated. Thanks.
 

Answer:Vundo Trojan... and possibly some others? Help needed please!

...and here's the last one:
 

2 more replies
Relevance 52.07%

Getting popups in internet explorer alerting to download virusscanners and spyware detection software.ComputHere is the logs from DSSDeckard's System Scanner v20071014.68Run by James Ison-Stierer on 2008-05-16 12:40:02Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 2 Restore Point(s) --2: 2008-05-16 11:40:18 UTC - RP2 - Deckard's System Scanner Restore Point1: 2008-05-16 11:04:20 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as James Ison-Stierer.exe) ----------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:41:41, on 16/05/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC... Read more

Answer:Possibly Infected With Vundo Virus

Hello Vinchenzison and welcome to BC. Let's see what we can find. Please follow the steps below in order:Before running a new scan let's clean out the temporary folders. Download ATF Cleaner to your Desktop.Double-click ATF-Cleaner.exe to run the program.Click Select All found at the bottom of the list.Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.Close ALL Internet browsers (very important).Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).In the Drivers section click on Non-Microsoft.Under Additional Scans click the checkboxes in front of the following items to select them:Reg - BotCheck
File - Additional Folder Scans
Do ... Read more

1 more replies
Relevance 52.07%

My computer is infected with some kind of browser hijacker which does the following: (1) clicking on a Google search result takes me to an ad site, not to the appropriate link; (2) new instances of Internet Explorer keep popping up, usually with an audio ad, sometimes with a web page; (3) attempts to install anti-spyware programs either fail completely, or the programs will not open.

Windows Defender and the Windows Malicious Software Removal Tool do not detect it.

Here is the DDS log:
DDS (Ver_09-03-16.01) - NTFSx86
Run by sup026 at 10:09:36.74 on Fri 03/20/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.544 [GMT -7:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PMService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\ePOAgent\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32&#... Read more

Answer:Browser Hijacker, possibly Vundo

Hello stevepremo,Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.Please do this:1. Download HijackThis? here:http://www.trendsecure.com/portal/en-US/th.../hijackthis.php2. Click 'Do a System Scan and Save log'.The HJT log will open in notepad.Thanks,tea

12 more replies
Relevance 52.07%

Hello,

Thank you very much for any help in removing this idiotic virus from my comp. I am having a lot of problems because of a stupid Vundo virus on my computer. My comp may also have a BHO Trojan, but I'm not certain.

I've scanned my computer so many times with Spybot, Search and Destroy, MalwareBytes, Ad-Aware, AVG 8.5, CCleaner, McAfee, etc.. Those programs got rid of most of the virus. Everytime I've scanned since, they all come back negative for any viruses/spyware, yet I'm still having issues with some programs.

These are the programs that are still acting weird because of Vundo/BHO:

1) Internet Explorer 8 -- It does work, but I can't access Hotmail at all. Also, javascript isn't working. I've uninstalled and re-installed Java to no avail. Also, on the MSN.com front page, the Hotmail box on the left keeps telling me to "enable javascript," but it is.
(Note: Hotmail still works on Firefox -- just not IE8.)

2) AOL Instant Messenger: Opens for one second, then closes. I've uninstalled AIM, re-installed it -- nothing works. Can't use program at all.

3) Windows Media Player: Won't open at all.

4) Windows Vista Sidebar: Doesn't work right; none of the gadgets show up.

5) Windows Defender: Won't open up at startup. Whenever I start Windows, this message will always pop up about Windows Defender:

"Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or... Read more

Answer:Still infected with Vundo (possibly BHO Trojan too)...

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_Sca... Read more

30 more replies
Relevance 52.07%

Ok, Simple fact there is something on my computer. . .annoying me!
Windows Defender picks it up, but can't do anything.
McAfee picks it up but "cannot completely remove virus"

In my running background apps (processes) I'm finding things like:
a.exe
b.exe
f.exe
fcvgzkts.exe
vytkpwvm.exe
distnoted.exe

As soon as I close most/all of these running processes, the popping up for a fake "anti-virus" trick stops. . .

How can I permanently remove things like this? Usually I would format, but I can't be bothered burning 6 DvDs for the system disks and I currently have no back up for my data. . .

Thanks

Rich
 

More replies
Relevance 52.07%

HiRecently had my hard drive go down and in the process of repairing it I didn't get adequate protection on it time. Sorted out the relevant installations last week only to discover a host of virus/spyware/adware already onboard. Have I have a subscription for McAfee Total Protection which I have scanned my system with, along with SpyBot and ZoneAlarm. The most notably consistant infection is SpyBot's discovery of "DeepDive" and "Virtumonde" with every scan, which of course it attempts to delete to no avail. ZoneAlarm informs me that it blocks "Intop.info" when I launch IE for the first time after any restart.Also worth noting: My wife noticed that she had her "hotmail" and "ebay" accounts HiJacked about 10days ago. The villian had blocked her out of both accounts and was selling I-mac's thru her ebay. Since then her ebay account has been cancelled by her and her hotmail was wiped-clean and started again (ie: all of the old saved, sent or received files were gone). Not sure if this is related to the problem I'm having now, suspect it might be the case. Anyway please find Kaspersky, then DSS "main" and "extra" logs below:Thanks for any help you can give me.jakenbrock*************************************** KASPERSKY ONLINE SCANNER 7 REPORTMonday, June 16, 2008Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database la... Read more

Answer:Infected With Vundo/virtumonde... And Possibly Others

Hello jakenbrock,We will run ComboFix. You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. ?It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. You need to disable your McAfee Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running. To disable Spybot's Teatimer: Run Spybot-S&D Go to the Mode menu, and make sure "Advanced Mode" is selected On the left hand side, choose Tools -> Resident Uncheck "Resident TeaTimer" and OK any promptsTo disable McAfee Virusscan:??Please navigate to the system tray on the bottom right hand corner and look for a sign.right-click it -> chose "Exit."a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.You succesfully disabled the McAfee Guard.Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix To work properly, you must install ComboFix on the Desktop. ?When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT? If you have SP3 installed, SP2 or even SP1 package will work. It is a simple procedure that will only take a few moments of your ... Read more

19 more replies
Relevance 52.07%

HiI am a new member with limited technical knowledge. My teenage son's laptop has become infected with malware which I have failed to eradicate. He has an IBM R51e Thinkpad with a Celeron 1.5 GHz processor and 704 MB RAM. Running XP Pro SP2. AVG anti virus/ZoneAlarm firewall/Spybot S&D/Windows Defender installed and updated and used.History so far1 AVG showed Virus Lop and Trojan Ircbot.DQC in vault. Spybot scan showed Virtumonde.dll trojan2 I deleted the files in the AVG vault3 I installed and ran CCleaner, fixing Registry issues and deleting all Temp file issues4 I installed and ran Vundofix5 I scanned with Microsoft onecare.live and found Vundo still present6 I installed Vundobegone and ran in safe mode7 I scanned again with AVG and onecare.live. AVG showed Trojan BHO.DMH in the vault, and onecare.live showed I still had Vundo infection.8 I installed HijackThis, and the copy log follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 08:42:11, on 10/04/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEn... Read more

Answer:Vundo/virtumonde Infection (and Possibly Others)

Hello there and welcome to Bleeping Computer's security forum.My name is David, I will be helping you with your log today.It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.At the moment there does not seem to be an active Vundo infection, which is of course a good sign.We'll clean up the leftovers in your HJT log, then run a scan to pick up any other infected files.Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options.Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.Uncheck: Hide file extensions for known file typesUncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:O2 - BHO: (no name) - {00FDD2CD-1F6D-427C-B183-7606B3C85A23} - (no file)O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)O2 - BHO: (no name) - {3E2FF924-561F-4D8E-BB42-20A58F0A5211} - (no file)O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {F8943363-B2F4-42BA-8442... Read more

13 more replies
Relevance 52.07%

Link to my other topic that I did not respond to: http://www.bleepingcomputer.com/forums/ind...p;#entry1055917Here is the DDS log.DDS (Ver_09-01-07.01) - NTFSx86 Run by ping at 21:59:22.07 on Thu 01/08/2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1421 [GMT -5:00]AV: Norton AntiVirus *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Seagate\Schedule2\schedul2.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Seag... Read more

Answer:possibly infected with trojan.vundo

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instruc... Read more

10 more replies
Relevance 52.07%

Hi, I had / have Vundo. I ran MBAM 3 times and it seems to have cleaned the computer pretty well. I dont have any symptoms anymore (was very slow to load webpages etc.) but I want to be sure the machine is clean. MalwareBytes seems to have come up clean the on the third run. I also ran HJT after running MalwareBytes. I do not know how to read the HJT Log, so I'm wondering if its clean? Heres the logs:MBAM RUN 1:Malwarebytes' Anti-Malware 1.38Database version: 2353Windows 5.1.2600 Service Pack 36/29/2009 5:45:03 PMmbam-log-2009-06-29 (17-45-03).txtScan type: Quick ScanObjects scanned: 222873Time elapsed: 46 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 7Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Troja... Read more

Answer:Vundo infection, possibly cleaned?

Hello and welcome to Bleeping Computer.My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I wouldbe grateful if you would note the following: Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
Copy and paste all logs requested in you reply, Do not attach them unless asked too.
If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
If I do not hear back from you within 5 days of my last post, then this topic will be closed.Please do a scan with Kaspersky Online ScannerNote: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.Click on the Accept button and install any components it needs.The program will install and then begin downloading the latest definition files.After the files have been downloaded on the left side of the page in the Scan section select My ComputerThis will start the program and scan your system.The scan will take a while, so be patient and let it run.Once the scan is complete, click on View scan reportNow, click on the Save Report as button.Save the file to your desktop.Copy and paste that information in your next post.NextDownload random's system infor... Read more

2 more replies
Relevance 52.07%

I think I might be infected with the aforementioned viruses, after reading some of the "symptoms", for want of a better term, in other threads. I occationally get pop-ups to sites like www.myflicks.com, and "registry cleaner".I have a small icon in the bottom right which is a red shield with a white border, and a white cross on it. When hovered over, a yellow information box in bad grammar tells me "Spyware infected has detected !". Every 5 minutes or so, a larger yellow box appears telling me there's something wrong with my registry and I need to download a registry cleaner of some sort. I get a similar alert when I left or right click the icon.I've tried all the methods on the preparation guide to rid myself of whatever this is, but nothing has removed it. I sought out the file - ipmon.exe and tried to delete and it's componant(ipmontr.DLL) but ipmon.exe is already in use and can't be deleted, and the DLL file just respawns. As in, for every one I delete, another is created.Edit: If this helps, also..Here is my Hijack This log.Logfile of HijackThis v1.99.1Scan saved at 21:11:24, on 28/05/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16441)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files... Read more

Answer:Possibly; Vundo, Winfix, Virtumode

One or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and Download and Execute filesI would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallHowever, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.Should you have any questions, please feel free to ask.Please let us know what you have decided to do in your next post.

22 more replies
Relevance 52.07%

Hi there again! This time a friend's computer has exploded into malware goodness. She complained of getting Antivirus XP, so I offered to run the standard suite of scans on it to ensure removal of the baddies. Unfortunately, after running SUPERAntiSpyware, the computer now refuses to boot into Windows, Safe Mode or Normal Mode. She's on the verge of going for a format/reinstall or running recovery console, System File Checker, or chkdsk.

So, ideas on why it would now refuse to boot or what to do about it?
 

Answer:Antivirus XP 2008 and possibly Vundo

OS: Windows XP Professional SP2

An update. I have discovered that Windows actually boots all or most of its processes, except explorer.exe. If I use CTRL+ALT+DEL to open Task Manager and try to run explorer.exe, Windows claims that it cannot find or recognize explorer.exe. However, I can open things such as Opera by browsing for it and running it, I have verified the existence of explorer.exe, but it will not run.

Thoughts on this recent development and the already existing problems?
 

9 more replies
Relevance 52.07%

Hi Happy New Year to all those at bleepingcomputer.com. I found this website which looks very useful and would like help with ridding my PC of malware. So far I have run Lavasofts Ad-aware, CC cleaner, AVG free, Spybot S&D, none of which seemed to help whatsoever. Then I tried Microsoft Malware removal tool Dec08 and Malwarebytes which seem to have removed some if not all. Having done this, it seems to have stopped the pop up ads although various programs seem to want to run at start up. Anyway, I have posted below a hijackthis log and wondered if someone could kindly check this for any other funny business. Many thanks.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:33:54, on 31/12/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\StartupMonitor.exeC:\Program Files\O2\bin\sprtcmd.exeC:&#... Read more

Answer:Infected with Virtumonde and Vundo and possibly others

Welcome to BC

Sorry for the delay.

Since its been more than a week, i need a fresh Hijackthis log. Thanks

1 more replies
Relevance 52.07%

About a week ago I started my computer and I had no icons and no wallpaper and a program popped up called Security Tool. Since then I have downloaded McAfee, Malawarebytes, StopZilla, SuperAnti Spyware. I have not seen Security Tool anymore but I know I am still infected because everytime I run SuperAntiSpyware it finds a file called Adware.Vundo/Variant-[Fixed] and the last person I spoke with said I have a Rootkit Infection:Path: c:windowstempmcmsc_xgduyg3lpyeteaoStatus: Allocation size mismatch (API: 4096, Raw: 0)Path: c:windowstempmcmsc_6cmxj0sdkwgnl1aStatus: Allocation size mismatch (API: 4096, Raw: 0)I really want to get this thing off my computer for good. Also hasn't happened for a couple days but before whenever I would do a scan my computer would shut itself down instantly.DDS (Ver_09-10-13.01) - NTFSx86 Run by Computer at 2:10:54.10 on Sun 10/18/2009Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.96 [GMT -4:00]AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:WINDOWSsystem32svchost -k DcomLaunchC:Program FilesCommon FilesiS3Anti-SpywareSZServer.exesvchost.exeC:WINDOWSSystem32svchost.exe -k netsvcssvchost.exesvchost.exeC:WINDOWSsystem32spoolsv.exesvchost.exeC:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.e... Read more

Answer:Rootkit Infection, possibly Vundo

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

24 more replies
Relevance 52.07%

My McAfee virus scan keeps popping up with alerts for Vundo trojan and backdoor-CVT virus, but cannot delete or quarantine them. Also I have seen may people post on here that there monitor goes fuzzy and then shuts off when running virus scans and most people are writing it off to hardware problems, but I do not believe thats the case I believe it has to do directly with one of the viruses, because I have a brand new computer and brand new monitor and it still happens. Please help the Hijack this log is posted bellow thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:16:25 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Progra... Read more

Answer:Need Help Vundo,Backdoor-cvt Viruses and possibly more

15 more replies
Relevance 52.07%

Last Friday I was downloading some video using bittorrent. My Avira antivirus told me it deteced a virus. I deleted both the torrent tracker and the video and ran a antivirus scan. I got some hits that Avira told me were Vundo,virtumonde, and Downloader/gen, or something to that affect. Despite the virus scan I still got popups windows. Also on startup my computer hangs for about 1 to 2 minutes where I cannot access the start bar, but I can run anything on my desktop.

I ran the XP cleaning procedure. After running SuperAntispyware, my internet stopped working. I repaired the internet connection as instructed, ran the rest of the scans. I no longer am getting popup windows, but when I click on a link in a google search I am redirected to a different page. My computer also still hangs on start up.

I have attached all the logs as requested. Thank you for your help.
 

Answer:Virtumonde/Vundo possibly other problems

Use windows explorer to find and delete:
c:\Program Files\Mozilla Firefox\extensions\{8E81D5E5-FF01-45DD-A910-3177465F2181}\chrome\content\overlay.xul

You did not attach these logs:
SAS
MBAM
ComboFIx
 

3 more replies
Relevance 52.07%

Had the famous Vundo virus which I removed on my own, or at least did the best that I could. I was unaware that their were heroes such as yourselves that would take the time to help out people like us. My Antivirus/Malware scanner always finds something new on each scan. Firefox is recently freezing up on startup, which it never did. System is often freezing, which never happened either. I've noticed an increase in the CPU usages with the csrss.exe process when Firefox starts up. The Firewall is enabled on my connection, yet disabled on the router. Wasn't sure what would be the best setup for the firewall.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Attaboy at 19:35:10.85 on 29/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.610 [GMT -4:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOW... Read more

Answer:Old removal of Vundo possibly still lurking

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_Sca... Read more

7 more replies
Relevance 52.07%

A day or two ago, my computer started giving me a messages that my Symantec auto-detect was disabled, and then a message that the svchost general host process for win32 had stopped. After those messages would appear, another box would appear telling me there was a DCOM error and my computer needed to restart. After several reboots, the error and restart messages disappeared, but my Symantec was still being disabled and internet explorer ads started appearing. While searching google for an answer to my problem I noticed that my links were redirected to ad sites. Also at one point an error message for Prunnet.exe appeared telling me it stopped unexpectedly.

I installed eTrust antivirus as well as AdAware and scanned my computer with both, and both came up with several files infected with Vundo. After these programs quarantined/deleted the infected files, nothing had changed. Next I tried the Vundofix program from Symantec which said it found and removed Vundo but the problems persisted. My last attempts at removal have been the Malwarebytes program which also found and removed several files, and the fixVundo program from secured2k as recommended from bleepingcomputer.com although it found nothing.

From that point on my computer has taken a very long time to startup after I enter my password. After it loads, trying to open the internet or almost any other program besides browsing folders will cause the program to load slowly and immediately not respond or not open at all. Ever... Read more

Answer:Infected with Vundo / Prunnet / Possibly More

I am no longer in need of assistance for this virus problem because, in need to use this computer for tasks specific to a time table, I upgraded from Windows XP to Windows Vista and cleared my hard drive. Thank You for all that you volunteers do at BleepingComputer, even though you didn't help me specifically I appreciate your services.

Consider my problem fixed.

2 more replies
Relevance 52.07%

Hey,I've been trying to get rid of this trojan.vundo.h for a week or so now and it jsut keeps coming back, and now i think i've got more problems. I've read over a few forums here and would love the help, thanks. Here's my ddsBrianDDS (Ver_09-03-16.01) - NTFSx86 Run by Brian Doyle at 16:28:08.35 on Mon 05/04/2009Internet Explorer: 7.0.5730.11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.658 [GMT -4:00]AV: Coreguard Antivirus 2009 *On-access scanning enabled* (Outdated)AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)FW: Norton Internet Worm Protection *disabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exesvchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\msdtc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\AskBarDis\bar... Read more

Answer:Infected with Trojan.vundo.h and possibly others

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_Sca... Read more

3 more replies
Relevance 52.07%

A couple days ago I seem to have become infected, AVG detected vundo virus.a and it said it was put into the vault which I then deleted. It seems it must be still there as I am getting pop ups and redirects in both browsers, also my internet is incredibly slow. I scan again with AVG and no vundo is found, however a couple different viruses were.

Can anyone help me! I borrowed my father in laws computer I don't want to give it back with viruses.
Running Windows Vista, toshiba laptop 2gb ram, firefox and/or internet explorer.

Thank you in advance
 

Answer:Possibly Vundo virus infection

10 more replies
Relevance 52.07%

Hi to all those smarter then me hahaMy computer has been infected with something (JS/Agent.1366 i think, but i first thought Vundo). I am getting a pop up point to an anti-virus site as discussed in one of the other BC post: http://www.bleepingcomputer.com/forums/t/183166/avira-detected-trojan/I ran a scan with Avira AntiVir which was useless, then installed and ran SpyBot which directed me Vundo, so I researched it and ran a VundoFix which found nothing. I then went through the BC post above. I have uninstalled the ViewPoint Media Player, removed all the old Java apps and installed the new version 11, and then ran Hijack This, and ComboFix. Any assistance in what my next steps should be is greatly appreciated. I have posted the log files from both below (note there are a lot of apps installed that I don't use, as I use this as a typewriter and to surf the web, so if you'd like me to uninstall anything, i'm more then glad to).Thanks in advance to any and everyone that can help.R.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:24:25 PM, on 12/6/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\AntiVir Pe... Read more

Answer:JS/Agent.1366 or possibly Vundo

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable ... Read more

2 more replies
Relevance 52.07%

Hello.A few days ago I was infected with the Vundo Trojan. I am not quite sure how I got it but it definitely is there. Yesterday my mom recieved an email from Time Warner saying that a computer from our IP adress sent out spam emails. None of us did it so obviously it was a virus. I have run 1 full scan and 2 quick scans with Malwarebytes, but it seems to be to no avail. The scans always turn up with "Trojan.Vundo" files. The computer is currently disconnected from the internet and I am posting this from my desktop downstairs. Please help!Symptoms:-The first symptom I received was many ads for bogus antispyware programs popping up in Internet Explorer even though I was using Firefox. Malwarebytes seems to have gotten rid of these popups so this isn't really a problem anymore.-My Symantec antivirus firewall and Windows firewall were both disabled along with Symantec virus protection and Windows virus protection. I have only been able to enable the Windows firewall after using Malwarebytes.-Every time I turn on my computer an application error message comes up that states: The instruction at "0x00656b8f" referenced memory at "0x0000000c". The memory could not be "read".Click on OK to terminate the programClick on CANCEL to debug the programIt usually takes a couple clicks on the OK button before it goes away.-After my desktop loads another message comes up saying:Generic Host Process for Win32 Services encountered a proble... Read more

Answer:Help I am infected with the Vundo trojan and quite possibly others

Hello.Unfortunately you have the file infector Virut infection. The only way to proceed is to Format the whole computer and start over.Virut File Infector WarningYour system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto. For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state. Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files t... Read more

5 more replies
Relevance 52.07%

Hello

Recently I found out that this computer was infected by some malware that made random advertising pop ups to show up whenever I browsed the internet. Also, I noticed that the Automatic Updates in the Windows Security Center has been turned off and I can't seem to turn it on again, even if I tried in the control panel to do so.

I ran malwarebytes and got rid of about 50 threats, including some vundo ones, and was finally able to turn on the automatic updates after a reboot.

I suspect that it was zango that gave me these problems, so I uninstalled it. But I don't know if vundo is officially gone yet, or if there might be other problems.

That's about all I can think of right now. Thanks for giving me the opportunity to come here and I really appreciate it!

-------------------------------------------------------------------------------------------
DDS (Version 1.1.0) - NTFSx86
Run by Owner at 17:53:06.90 on Mon 01/05/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.473 [GMT -8:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft... Read more

Answer:Vundo Infection and Possibly other Problems

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.Download and Run DDSIf you already have a copy of DDS, there is not need to download a new one.Download DDS by sUBs from any of the links below:DDS.com, DDS.scr, DDS.pifDouble click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".When the scan is finished, two logs will open.Post DDS.txt directly into your reply. Attach Attach.txt.Download and Run Scan with GMERWe will use GMER to scan for rootkits.Please download GMER.zip to your desktop from any of the links below:LINK1, LINK2Right click on GMER.zip and select "Extract All".Close all other open programs as there is a slight chance your computer will crash.Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.You may see a warning saying "GMER has detected rootkit ... Read more

4 more replies
Relevance 52.07%

Alright, so I noticed my system was running like crap and started getting random popups and my autoupdates shut off on their own. Also, had the fake mspywareremover09 popup in the bottom, which was what really tipped me off that I had a problem. I ran Spybot S&D, AVG, and the actual Microsoft Malware Remover and they came up with these infections:Virtumonde.sci - 1 entrySmifraud-C - 1 entryVirtumonde - 4 entriesVirtumonde.generic - 2 entriesAttempted to fix them through Spybot, said it fixed it, then upon restart came up with the same report. So I ran AVG, found 1 instance of Vundo, attempted to fix it, to no avail. Ran the Virtumonde Remover, didn't come up with any entries. My Windows Autoupdates turned themselves off now, and I can't turn them back on. The infection seems to get worse, then better, then worse again.So, I'm turning to you guys; I'm providing my Hijackthis log for you to peruse to see if you can find any way to fix this bunch of crap that suddenly popped up on my system. Thanks!--------------------------------------------------------------------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:59:25 PM, on 1/27/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WIN... Read more

Answer:Vundo, Smitfraud-C, and possibly other infection

Just a quick update: Ran Ad-Aware, it picked up the virus Virtumonde as well, said it fixed it, and did nothing. There were a few "unknown" files found as well, which required a restart. Still did nothing. Also ran Symantec's Vundo removal tool and it found nothing.

Guessing the dll is hidden somewhere and attached to my winlogon.exe file, but so far nothing is picking it up that might be able to fix it.

Please help!

4 more replies
Relevance 52.07%

Received a laptop to work on - infected with multiple spyware/adware/malware/trojans - including Nebular and Vundo, which showed up in the initial Symantec scan.I used every removal tool I could find and followed all the instructions on the "Preparation Guide for use before posting a HijackThis Log" guide (although I couldn't get either of the third party firewall programs to work). Things seem better but with all the work it took to get this far, I want to be sure I'm not missing anything.Thanks in advance!-----Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:39:52 PM, on 02/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32... Read more

Answer:Possibly Vundo/mezzia/dialer - Help!

Hello jhall,

Welcome to Bleeping Computer

Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea

10 more replies
Relevance 52.07%

Couple days ago i had received errors about c:/windows/system32 files and my avg had reported that i had received the vundo trojan.I ran MBAM and Ad-aware and it seemed to have fixed the problem. Then earlier today I had received the same errors about c:/windows/system32 files and avg reported again that I had the vundo trojan as well as Trojan Horse Generic13.ARAM and worm/generic_r.FA.I scanned with MBAM and Ad-aware.MBAM didn't detected any malwares, but Ad-aware did. It detected win32 as critical malware, but was unable to remove it.In reponse to the vundo trojan problem, I had ran Vundo fix and virtumundobegone but both didn't detect anything.Please Help!
 Attach.txt   21.37KB
  0 downloadsDDS (Ver_09-05-14.01) - NTFSx86 Run by J at 18:50:43.70 on Mon 05/18/2009Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.220 [GMT -7:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\AOL\1136004165\ee\AOLSoftware.exeC:\Program Files\Java\jre1.6.0_07\bin�... Read more

Answer:Infected with Win32, Vundo and possibly others

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

10 more replies
Relevance 52.07%

Hi Y'all

Been working on this computer for almost a week yet but haven't won the battle.

The user had a Vundo infection. I ran Vundo fix, and VirtuMundo Be Gone, and finally booted it up with a linux livecd to delete all the files manually, after which both VundoFix and VBG found nothing. All clear, right? Of course not. The user still gets popups from Clicksor.net and related crap. I have Comodo Firewall installed, along with Avast home edition and AdAware free edition.

At this point it's a tossup between fixing the dang thing and reinstalling windows (which would be quite a pain because of all the proprietary software installed). Any help will be incredibly appreciated.

(Note: I tried removing the O2 entries with no name and no file, along with the trusted zone websites {O15} but this didn't solve the problem. I restored them because outlook started flipping out but it turned out to be an unrelated issue.)

Please see HijackThis and RootkitRevealer logs below:
 

Answer:Deep infection- possibly Vundo

This link is your friend: http://forums.majorgeeks.com/showthread.php?t=35407
 

9 more replies
Relevance 52.07%

Hey,
I am sorry for my previous post where i did not share my dds or gmer logs. I am having problems with a browser hijacker on my search engines that takes me to the seachclik8 site at I cant get the full url because i have K9 web protection that will not allow me to go to the page. I also think that there may be a vundo package on my computer as well because the basic norton security scan seems to be picking up on that. Here are my prevx scan results (i just copied and pasted the ones that returned a threat):

[B] c:\windows\system32\kemezuho.dll
[B] (ACTIVE) c:\windows\system32\bolowima.dll
[B] (ACTIVE) c:\windows\system32\wekilila.dll
[B] c:\documents and settings\dan\temporary internet files\content.ie5\qvfmm43i\load[1].php
[B] (ACTIVE) c:\windows\system32\zufeyibi.dll
[BN] (ACTIVE) c:\windows\system32\wurigizu.dll

Previously observed:
c:\windows\system32\boruyani.dll.tmp
[B] c:\windows\system32\lotutove.dll
[BP] c:\windows\system32\vozipizo.dll
[B] c:\windows\system32\jejuvoto.dll
[B] c:\windows\system32\jujofuja.dll
[B] c:\windows\system32\libopeke.dll
[B] (ACTIVE) c:\windows\system32\nukijafu.dll
[BP] (ACTIVE) c:\windows\system32\sazemaye.dll
[BP] c:\windows\system32\doyodige.dll.tmp
[BP] c:\windows\system32\mevabiri.dll.tmp
[BN] c:\windows\system32\lolanayo.dll
[B] c:\system volume information\_restore{92ec12a7-009b-4d77-899d-ff91068a8284}\rp197\a0023644.dll
[BN] c:\system volume information\_restore{92ec12a7-009b-4d77-899d-ff... Read more

Answer:searchclick8 hijacker and possibly vundo

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications,... Read more

19 more replies
Relevance 52.07%

Hello all,

I am posting this DDS report in the hope that someone can analyze this and help pinpoint my problem. About four weeks ago I had my first and rather vicious virus infection, and since then have been trying to get my computer clean. I have been using SAS, Malwarebytes, AVG free edition, Bit Defender, and Avira free edition. Fr the last week my scans have been coming back clean, but last night my AVG started reporting that two files were infected, but none of my other scanners were picking them up. AVG says it cannot quarantine for some reason, and I am not sire if I can just delete them or not. It says the files are application extensions and deleting them can harm the computer. They are:
C:\windows\ixejesazuku.dll
C:\windows\okoqijiw.dll
The message from AVG says they are infected by Trojan Horse Vundo.DP
After running a full batch of scans again and finding nothing, I found posts on this site dealing with Vundo viruses and ran Vundo Fix and Virtumundo in safe mode and found nothing. Below is my DDS report. Thanks in advance for any help you might be able to give.
DDS (Ver_09-01-18.01) - NTFSx86
Run by Owner at 20:54:52.42 on Tue 01/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.501 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: McAfee Virus... Read more

Answer:still possibly infected by trojan vundo

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part... Read more

20 more replies
Relevance 52.07%

I'm having several problems. I've tried everything I know how to do but now need professional help.
1. When starting the computer and logging it, only my wallpaper is displayed. I have to alt+ctrl+delete, then end explorer.exe and run it again for icons, start bar to appear.
2. Google keeps getting redirected. Whenever I click a link. I scanned with spyware and virus scanners. Nothing.
3. I scanned with SuperAntiSpyware, and it got rid of lots of virus/trojans. The little fake antivirus bubble in the system tray is now gone.

Im hoping someone can help me. suggest any good program. Thank you. Heres my Hijack this log file
 

Answer:Vundo Possibly, explorer.exe problems.

Whenever I open My Documents for ex. Around 20 or so popups from AVG Free pop up telling me that threats have been blocked. And whenever I try to go to control panel, the icon on the start menu brings up My Documents.
The file tree is also always shown on the left instead of the file options.
Anyone have any ideas?

Hijack this Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:16 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.ex... Read more

1 more replies
Relevance 52.07%

Hey, I've been having some major problems lately. It started with a warning that I had Vundo, which I've encountered before, so I went and used VundoFix to try and remove it. It detected a Vundo file and successfully removed it, however, more problems seem to be appearing which I'm assuming the Vundo brought in:

My internet works, but something's literally censoring it. Google searches won't load, neither will Yahoo or Myspace or Facebook. However, all my out of the way, smaller sites seem to work, which leads me to believe the virus has blacklisted a few key websites somehow?

I've gotten alerts from Avira that CC/Agent.CZ was detected, and also TR/Crypt.ULPM.Gen. These are all after the VundoFix, and I ran it once again later and it never detected anything.

Here's my hijackthis log file, please help me out, I'm totally open to suggestions which'll improve my performance and especially remove this virus! :)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:20 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Fil... Read more

Answer:Problems: Possibly Vundo/Something it brought with it?

Please help! I haven't had any luck removing it so far :(

2 more replies
Relevance 52.07%

Couple days ago i had received errors about c:/windows/system32 files and my avg had reported that i had received the vundo trojan.
I ran MBAM and Ad-aware and it seemed to have fixed the problem.

Then earlier today I had received the same errors about c:/windows/system32 files and avg reported again that I had the vundo trojan as well as Trojan Horse Generic13.ARAM and worm/generic_r.FA.
I scanned with MBAM and Ad-aware.
MBAM didn't detected any malwares, but Ad-aware did. It detected win32 as critical malware, but was unable to remove it.
In reponse to the vundo trojan problem, I ran Vundo fix and virtumundobegone but both didn't detect anything.

Please Help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:02 PM, on 5/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1136004165\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Fire... Read more

Answer:Infected with Win32, Vundo and possibly others

bump
 

1 more replies
Relevance 52.07%

I'm fixing a customers PC, (originally had no AV protection...customer tried to install Panda Titanium 2004 after the fact to fix, but the program did not install correctly. I used an uninstaller to get rid of it but there are a few remnants.). When brought in it would boot to desktop background (no desktop icons or taskbar) but the mouse cursor was fine. I used task manager to start the desktop which would only work for 5-10 seconds before disappearing again. I eventually ran smitfaudfix, Combofix,ATF-Cleaner, Adaware, Spybot, and VundoFix it did find and get rid of Smitfraud.C as well as Vundo. After that the desktop icons and taskbar appear but the CPU runs at 100% for about 5 minutes upon booting (PC is locked up during this), and then runs normally after that. I was getting a pop up pointing to http://srv.clsubring.net......... . Found and deleted this folder C:\Program Files\ISM2, and the pop ups have seemed to stop...for now. I had installed NOD 32 trial, ran it, and it did find and delete about 5 problems. The customer preferred Norton AV so I had to remove NOD and Install Norton AV 2007 which at this point will not start, ( i'm assuming because of lurking viruses). There are still problems and i could use some help.ThanksHere are the logs for Hijackthis , Bitdefender online scan, and Panda's Online Scanner.Here is the Hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:10:57 PM, on 10/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE... Read more

Answer:Vundo And Smitfraud.c Infection-possibly More

Disregard...I figured it out.

1 more replies
Relevance 52.07%

Hello everyone,
I have been helping someone with a problem where they have a couple of computers which have been showing traces of vundo. The major symptom was a huge number of "msile.exe" processes filling up the task manager. AVG recognizes this (and several random DLL files) as vundo, and is able to remove the threat, but it keeps coming back. I tried vundofix.exe and virtumundobegone.exe and both come up clean.

For now, I have recommended that they use process explorer to suspend the msile process so that it can't generate copies of itself.

The problem is that I can't find ANY information online about msile.exe, so I'm wondering if it's very new.

Another problem is that google thinks I want to search for sm!le.exe. I am purposefully not spelling that word in this topic so that anyone else searching google can search -sm!le and find this result.

Yet another problem is that vundofix just immediately says "nothing found" - but it doesn't appear to scan any files. I suspect this is because the machines are windows 2000. It does seem to scan and come clean on a neighbouring XP machine, but on the 2000 it doesn't even list the files it's scanning.

What I'm hoping for is any info anyone might have about this executable. The other thing I was hoping to find out was the functionality of virtumundobegone - I'm wondering if I can manually execute the tasks that it does since it doesn't appear to wo... Read more

Answer:Anyone seen msile.exe (possibly related to vundo)?

Just saw this - looks like it has recently been listed:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77965

Perhaps this is just very new?
 

2 more replies
Relevance 51.66%

It started with annoying pop-ups, and error messages saying my computer has several fatal errors. After which I was directed to rogue anti-virus software pages. I did a full scan with my Norton antivirus and fixed the problems listed. My computer started running slow, junk advertisements were still popping up and I could not access certain webpages. So I rebooted my computer and at start-up, an error message came up: windows failed to initialize userinit.exe properly (Oxc0000005). Click on OK to terminate the application. This happened twice. After clicking ok, the desktop loads with no icons nor taskbar. Pressing ctrl-alt-del came up with another error: This feature has been disabled by the administrator. Wanted to try system restore, however, I could not go further than one day, which was when I started getting those pop-ups! Things I have tried (in safe mode):Malwarebytes? Anti-MalwareSuperAntiSpywareSpybot Search & Destroy (Free version)VundoFix.exeFixVundo (from Symantec)After running Malwarebytes? Anti-Malware, I was able to start windows in normal mode (with icons and all). But the system was very slow. So I ran it again and it was still picking up threats. I then followed the instructions found here: http://ezinearticles.com/?Remove-Vundo-and...&id=1255229The final VundoFix scan step did not pick up any threats. So I restart my com in normal mode. Again, I got a blank screen (my desktop background was initially set to none). This time, ctrl-alt-del worked.... Read more

Answer:Trojan.vundo That Cant Seem To Be Removed, And Possibly Other Problems. Please Help!

This infection will require further investigation. Before that can be done you will need you to create and post a hijackthis log.Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day. Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before... Read more

2 more replies
Relevance 51.66%

Hello, All:I find myself in a predicament and in need of experienced assistance. Any and all help/commentary is appreciated.I am running Windows XP Media Center Edition (SP2). I use IE 6.0.2900.2108While visiting a site (virual paradox), I began receiving trojan warnings from McAfee. It looked like McAfee had handled everything.Upon further surfing, however, and particularly when using a search engine (Yahoo!, Google, etc.), another Internet Explorer window would open. Sometimes several would open. These were ads for various sites (reditty, av sites, etc.). Initially, I could not close the newly opened browser windows (had to minimize, right-click, or use Program Mgr to close).Here are the steps I have taken to try to remove the problems:1. VundoFix --I have run this several times and it has found nothing2. AIMFix--I can't remember what it found first. the current log shows nothing3. BeagleFix-found nothing4. AdAware 2007 - found registry issues and cookies--said it had fixed them5. Spybot-Search & Destroy--found registry issues and suspicious .dllsThe .dlls that Spybot could not fix were eqcaldhn.dll, jkhlg.dll, and sdinapol.dll. I was able to directly delete eqcaldhn.dll and sdinapol.dll--but these were in Startup, so now I'm in selective startupI repeated the above steps after disabling System Restore and running in Windows Safe Mode with the same results. Then I added VirtuamondeBeGone to the mix (still in safe mode) and it found further registry changes. After th... Read more

Answer:Popups Won't Stop Possibly Vundo/virtumonde

Hello and welcome to Bleeping Computer.My name is km2357 and I will be helping you to remove any infection(s) that you may have.I will be giving you a series of instructions that need to be followed in the order in which I give them to you.If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.Please do not start another thread or topic, I will assist you at this thread until we solve your problems.Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log and an Uninstall List (instructions forthcoming)Step # 1: Rename HijackThisRename HijackThis.exe to Scanner.exe by doing the following:Navigate to here: C:\Program Files\Trend Micro\HijackThisRight-click on the HijackThis.exe.From the pull-down menu, choose: "Rename".Rename HijackThis.exe to Scanner.exe Open Hijackthis.Run Hijackthis (Do a system scan and save a log file).Post the fresh HijackThis log.Step # 2 Download and Run CCleanerDownload CCleaner from here to clean temp files from your computer. Double click on the ccsetup.exe file to start the installation of the program. Select your language and click OK, then next. Read the license agreement and click I Agree. Click next to use the default instal... Read more

3 more replies
Relevance 51.66%

I keep having the Antivirus 2009 "warning/scanner" pop-up almost everytime I start a web browser or go to a different web page. I have ran Spybot S&D numerous times and it keeps finding the same infected files, but it doesn't seem to be fixing them like I instruct it to. I have also ran Malwarebytes' Anti-Malware with the same results as S&D. I've read forums and removal instructions on this virus, but I can't seem to locate any files that they describe and I'm not that computer sauvy to just start deleting files. If someone could please help me, it would be greatly appreciated. Below is the DDS report and attachment, I hope I'm doing everthing right.
DDS (Ver_09-01-18.01) - FAT32x86
Run by user1 at 14:51:27.09 on Wed 01/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.548 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: iolo AntiVirus? *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Supp... Read more

Answer:Antivirus 2009, possibly 2008, and vundo

HiIf you still need help with this do following:Download and install TrendMicro HijackThis* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled Do a system scan only* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

12 more replies
Relevance 51.66%

******************************************************************************************************************************************************
HELLO...

1) When I click on any search result from any search engine (Google, Bing, ect.) I get redirected to some generic search engine.

2) Explorer won't close when I click the "red X" the first time, but will close the second time I click it.

3) Windows Defender will not stay open. When I try a window pops open for a brief secend then closes immediately.

4) McAfee nor MalwareBytes found anything, but the last time Defender ran it found the Vundo Virus.

5) I followed your Preperation Guide to download and run the programs as instructed, but was unable to generate some of the logs as described.

6) Defogger ran fine (text in body below).

7) DDS ran but did not generate the 2 files as described, but rather only 1 file was created which was mostly ASCII chacacters (I had to divide it into 2 parts for upload which I will attach in 2 seperate posts directly after this one).

8) GMER ran for about 12 hours then crashed. I ran it a second time for about 4 hours then it crashed again. I ran it a third time for about 1 hour then it crased once more. I did save what data I saw it report on the first 2 attempts before it crashed the third time (file attached below).

9) Windows alerted me of the crash when logging back on (text in body below).

That's all I know to tell you. I sure hope you can ... Read more

Answer:Infected with Redirect Virus... Possibly Vundo???

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

25 more replies
Relevance 51.66%

It started with annoying pop-ups, and error messages saying my computer has several fatal errors. After which I was directed to rogue anti-virus software pages. I did a full scan with my Norton antivirus and fixed the problems listed. My computer started running slow, junk advertisements were still popping up and I could not access certain webpages. So I rebooted my computer and at start-up, an error message came up: windows failed to initialize userinit.exe properly (Oxc0000005). Click on OK to terminate the application. This happened twice. After clicking ok, the desktop loads with no icons nor taskbar. Pressing ctrl-alt-del came up with another error: This feature has been disabled by the administrator. Wanted to try system restore, however, I could not go further than one day, which was when I started getting those pop-ups! Things I have tried (in safe mode):Malwarebytes? Anti-MalwareSuperAntiSpywareSpybot Search & Destroy (Free version)VundoFix.exeFixVundo (from Symantec)After running Malwarebytes? Anti-Malware, I was able to start windows in normal mode (with icons and all). But the system was very slow. So I ran it again and it was still picking up threats. I then followed the instructions found here: http://ezinearticles.com/?Remove-Vundo-and...&id=1255229The final VundoFix scan step did not pick up any threats. So I restart my com in normal mode. Again, I got a blank screen (my desktop background was initially set to none). This time, there was the start ... Read more

Answer:Trojan.vundo That Cant Seem To Be Removedand Possibly Other Viruses

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.O2 - BHO: (no name) - {33369880-3935-49B3-B932-BF271E847389} - C:\WINDOWS\system32\pmnnLBrR.dll (file missing)O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {A4D7CE9D-30E3-41DD-BCE0-73106933D3E3} - (no file)O2 - BHO: (no name) - {A9E65CF2-46D7-4A2C-98AD-394294F9EA0D} - (no file)O2 - BHO: (no name) - {BCA83B3B-5D57-431E-9C04-F5A7AC4AF4D7} - (no file)O2 - BHO: (no name) - {D106F7BD-17B7-47A9-A874-F7261E6CCCAE} - (no file)O2 - BHO: (no name) - {F12E5485-2DB6-4909-A421-5FF91AD47CC8} - (no file)==============You are running an older version of Java. This can be a security risk so let's get you the latest version.Upgrading Java:Download the latest version of Java Runtime Environment (JRE) 6 Update 6.Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".Click the "Download" button to the right.Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".Click on Continue.Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the... Read more

29 more replies
Relevance 51.66%

Hello, All:

I find myself in a predicament and in need of experienced assistance. Any and all help/commentary is appreciated.

I am running Windows XP Media Center Edition (SP2). I use IE 6.0.2900.2108

While visiting a site (virual paradox), I began receiving trojan warnings from McAfee. It looked like McAfee had handled everything.

Upon further surfing, however, and particularly when using a search engine (Yahoo!, Google, etc.), another Internet Explorer window would open. Sometimes several would open. These were ads for various sites (reditty, av sites, etc.). Initially, I could not close the newly opened browser windows (had to minimize, right-click, or use Program Mgr to close).

Here are the steps I have taken to try to remove the problems:
1. VundoFix --I have run this several times and it has found nothing
2. AIMFix--I can't remember what it found first. the current log shows nothing
3. BeagleFix-found nothing
4. AdAware 2007 - found registry issues and cookies--said it had fixed them
5. Spybot-Search & Destroy--found registry issues and suspicious .dlls
The .dlls that Spybot could not fix were eqcaldhn.dll, jkhlg.dll, and sdinapol.dll.
I was able to directly delete eqcaldhn.dll and sdinapol.dll--but these were in Startup, so now I'm in selective startup

I repeated the above steps after disabling System Restore and running in Windows Safe Mode with the same results.

Then I added VirtuamondeBeGone to the mix (still in safe mode)... Read more

Answer:Ie Popups Won't Stop--possibly Vundo/virtumonde?

Hello, please download HijackThis from here- http://www.bleepingcomputer.com/files/hijackthis.php And post it into the appropriate forum and make a new topic that sounds like a nasty virus. Also Download SUPERantispyware. And tell me what it detects. And please DO NOT!delete any more .dll's until you say what they are, I will aprove them...Also go here- http://java.com/en/download/index.jsp And update your Java. Thanks.

4 more replies
Relevance 51.66%

Recently i have managed to get something on my computer that is causing a lot of high latency to some servers and other peers eg through hamachi. The pings to these places time out or have heavy spikes around 2/3 of the time. Internet explorer sometimes redirects to those 'you're computer has spyware sites', while firefox runs perfectly fine without lag.I think it may be spyware as i've recently seen a file called popcinfo.dat and from a google search seems to be spyware. I have recently formatted with a fresh install of windows, but kept all my files intact as i didnt have time to back up my files, and the problem still persists so it may be a problem with something not in the windows directory? Currently running windows XP, attached is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:44 PM, on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\s... Read more

More replies
Relevance 51.66%

Hi, I hope someone can help me out,

My boyfriend had uninstalled AVG as it was out of date (?) and was unable to reinstall it, he tried another program on Saturday, restarted PC and then went out......

Since Sunday I have had problems accessing websites such as hotmail, myspace, facebook and ebay. I then re-installed AVG free but AVG didn't pick up any viruses however I then installed windows defender and spyware doctor (sd).

Sd found several and quartined them, I have a snap shot of this screen if its required.

It seems I may have been infected with the vundo trojan, when i had a look in temp internet files there were literally hundreds of random files all in blue (does that mean anything?) i deleted them... (before finding this forum)

spyware doctor (sd) has quarantined about 6 named threats (150 items) , but I'm not sure if they have been removed or not. The sd history lists hundreds of things (since yesterday) some with yellow triangles stating infection was detected, some say infection cleaned etc


I discovered later if i set myspace as my home page i could access the sites on IE.

Everything is running really slow and I was advised elsewhere on the forum to check in here.



I have followed steps 1-5 and all have been completed successfully.

The only antivirus i left on the system was Spyware Doctor as it was the one had picked up the threats, I usually prefer to use the AVG free.

I removed / uninstalled firefox although it is my pr... Read more

Answer:Problems accessing some websites.. Vundo possibly?

P.s I should add i won't be able to carry out any tasks or tests on my PC on Friday or Saturday so if you haven't time to look at my log before then I'll be back Sunday :)

2 more replies