5 replies to this topic

[doctorrick123]

I have been infected with vundo, and I can't seem to get rid of it. Initially, I have tried the usual removal methods, "spybot search and destroy", "Ad-aware SE" and so on... I have also tried using a couple of different versions of a program called "vundofix.exe" - one was a standalone program that seemed to detect the presence of vundo, the other "vundofix" was used in conjuction with "hijack-this" (and standalone mode). In following those procedures, everytime I reboot, the vundo entries seem to come back in "hi-jack this". In addition the Spybot Search and Destroy "tea-timer" program also is asking for permission to allow 1 or 2 registry entries to be written (upon logging in) - of which of course I don't allow.

Also a little more information, I'm on XP SP1 (fully patched and updated). I'm not able to upgrade to SP2 because Digidesign's Protools 6.1.1 is not compatible. I have to stay on this version, because this is the last version supported by my Protools hardware.

If someone could take a look my "hi-jack this" log and point me in the right direction, I would greatly appreciate it.

Thanks,

Logfile of HijackThis v1.99.1
Scan saved at 5:29:56 AM, on 3/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\lesh family\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1173632695765
O17 - HKLM\System\CCS\Services\Tcpip\..\{045C282D-2DEA-43FE-9A2E-218CFE3B316C}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3899D75C-CBFB-4A77-B1DD-EA36B158ED2D}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{045C282D-2DEA-43FE-9A2E-218CFE3B316C}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{045C282D-2DEA-43FE-9A2E-218CFE3B316C}: NameServer = 192.168.0.1
O20 - Winlogon Notify: gebca - C:\WINDOWS\
O20 - Winlogon Notify: opnnmji - C:\WINDOWS\
O20 - Winlogon Notify: vtuurqq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winzms32 - C:\WINDOWS\
O21 - SSODL: teMXUpvXWPojAPUY - {A082BF66-0A28-15CC-EC83-CDAC99D76285} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - -C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

[Markka]

Hi and welcome to the forums. I'm Markka and I will be helping you with your malware issues. I check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient.

[Markka]

First you need to disable TeaTimer

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You should delete previous vundofix version(s).


Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Go to start -> my computer -> C-drive (local disk).
-> Then find the button named "Create a new folder" (on the left)
-> Click on Create a new folder" -button and name it to HjT
-> Now, move HijackThis from the desktop to folder what you just made.
-> And now HijackThis should be located at C:\hjt\HijackThis.exe

Open HijackThis, Click Do a system scan only, checkmark these and press fix checked:

O20 - Winlogon Notify: gebca - C:\WINDOWS\
O20 - Winlogon Notify: opnnmji - C:\WINDOWS\
O20 - Winlogon Notify: vtuurqq - C:\WINDOWS\
O20 - Winlogon Notify: winzms32 - C:\WINDOWS\
O21 - SSODL: teMXUpvXWPojAPUY - {A082BF66-0A28-15CC-EC83-CDAC99D76285} - (no file)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download ATF-cleaner and save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  
  If you use Firefox browser:
  
  
• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  If you use Opera browser:
  
  
• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post:
- a fresh HijackThis log
- Contents of C:\vundofix.txt
- AVG's log

[doctorrick123]

Thanks for the reply. I had already proceeded part way down the recovery path by disabling the "tea timer" and getting the latest vundofix.exe. I ran through the process, here the scans:

Thanks again for your help, I really appreciate it.

Doctorrick


Logfile of HijackThis v1.99.1
Scan saved at 7:47:23 AM, on 3/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1173632695765
O17 - HKLM\System\CCS\Services\Tcpip\..\{045C282D-2DEA-43FE-9A2E-218CFE3B316C}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3899D75C-CBFB-4A77-B1DD-EA36B158ED2D}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{045C282D-2DEA-43FE-9A2E-218CFE3B316C}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - -C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 3:47:56 AM 3/12/2007

Listing files found while scanning....

C:\WINDOWS\System32\gebca.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 4:18:37 AM 3/12/2007

Listing files found while scanning....

C:\WINDOWS\System32\gebca.dll

VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 4:54:40 AM 3/12/2007

Listing files found while scanning....

C:\WINDOWS\System32\gebca.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 5:21:27 AM 3/12/2007

Listing files found while scanning....

No infected files were found.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:21:28 AM 3/14/2007

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\s?curity\w?nlogon.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tkwmdxwq.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ycoeqcrt.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvnuk.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\TGVzaCBGYW1pbHk\n3pWuF13sqYDvJ4.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wintit.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kernels88.exe -> Worm.Banwarum.f : Cleaned with backup (quarantined).


::Report end

[Markka]

Go to control panel -> add/remove programs -> delete these: (if found)
Oin
OuterInfo,
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Zolero
Tizzletalk
MediaTickets
Cowabanga


Please download this program and run it.
If you need instructions to oiuninstaller.exe them are here.


Delete these folders: (if found)
C:\WINDOWS\system32\s?curity <- The "?" will be some random character
C:\WINDOWS\TGVzaCBGYW1pbHk



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

You need to use Internet Explorer when you run a scan with Kaspersky online scanner!

Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
  
• Once the scanner is installed and the definitions downloaded, click Next.
  
• Now click on Scan Settings
  
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
  
• Click OK
  
• Now under select a target to scan select My Computer
  
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  
• Now click on the Save as Text button
  
• Save the file to your desktop.
  
• Copy and paste that information in your next post.

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!

Post:
- a fresh HijackThis log
- Contents of the Report.txt
- Kaspersky's log
- contents of C:\rapport.txt

Edit. Added instructions for SmitFraudFix

Edited by Mr_JAk3, 14 March 2007 - 02:10 PM.

[little eagle]

Because no reply was made. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:
http://forums.tomcoy...showtopic=31418

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Also follow the recommendations in Tony Klein's article
So how did I get infected in the first place?