Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Believe I Have Variant Of Vundo


  • Please log in to reply
42 replies to this topic

#1 russmcs

russmcs

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 14 January 2008 - 02:27 AM

Have run FixVundo and VundoFix. VundoFix acts as if it deletes it, but vturp.dll still shows up. Vundofix has also caused me to not start msconfig from the "Run" box. I have to manually go to msconfig and start from icon.

I have done everything in the "preperation guide"

Adaware found virtumonde, removed it, and did not see it again after reboot.
Spybot sees virtumonde, removes it, and it finds it again after every reboot.

Housecall found items, and removed them

Here is my HiJackThis Log - any help greatly appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:23 AM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturp.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: LXCGCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCGserv.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5512 bytes

BC AdBot (Login to Remove)

 


#2 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 20 January 2008 - 10:58 PM

Now I have lost the ability to run msconfig from the run menu, have spent $25 on spy sweeper, and have lost all of my desktop icons. Any help would be greatly appreciated.

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:59 AM

Posted 20 January 2008 - 11:00 PM

Hello russmcs. Let's see what else is hiding in there.

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Disabled MS Config Items
      Reg - Session Manager Settings
      Reg - Software Policy Settings
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 20 January 2008 - 11:32 PM

Had to break the txt file into 2 parts. Even it was too big. Lotta junk going on here.

Edited by OldTimer, 21 January 2008 - 10:58 PM.


#5 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 20 January 2008 - 11:33 PM

Here is the 2nd part of the log.

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 1/20/2008 9:30:07 PM | Attr = RHS]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 1/20/2008 10:15:01 PM | Attr = H ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 1/12/2008 4:26:19 PM | Attr = ]
Downloads -> %SystemDrive%\Downloads -> [Folder | Modified Date = 1/20/2008 4:34:40 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1005113344 bytes | Modified Date = 1/20/2008 9:57:17 PM | Attr = HS]
posFE.tmp -> %SystemDrive%\posFE.tmp -> [Ver = | Size = 7033 bytes | Modified Date = 1/20/2008 9:58:56 PM | Attr = ]
posFF.tmp -> %SystemDrive%\posFF.tmp -> [Ver = | Size = 14033 bytes | Modified Date = 1/20/2008 9:58:56 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 1/20/2008 10:01:11 PM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 1/12/2008 6:05:11 PM | Attr = HS]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 1/20/2008 9:46:14 PM | Attr = HS]
Temp -> %SystemDrive%\Temp -> [Folder | Modified Date = 1/20/2008 5:07:29 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 1/20/2008 4:38:12 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 1/20/2008 9:58:20 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 1/20/2008 2:53:22 PM | Attr = ]
hosts -> %System32%\drivers\etc\hosts -> [Ver = | Size = 222979 bytes | Modified Date = 1/19/2008 9:38:09 PM | Attr = R ]
hosts.20080113-111154.backup -> %System32%\drivers\etc\hosts.20080113-111154.backup -> [Ver = | Size = 734 bytes | Modified Date = 1/12/2008 8:46:16 PM | Attr = ]
tmsshf.bin -> %System32%\drivers\etc\tmsshf.bin -> [Ver = | Size = 220289 bytes | Modified Date = 1/20/2008 2:54:08 PM | Attr = ]
MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf -> %System32%\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf -> [Ver = | Size = 0 bytes | Modified Date = 1/2/2008 4:02:57 PM | Attr = H ]
Msft_Kernel_motccgpfl_01005.Wdf -> %System32%\drivers\Msft_Kernel_motccgpfl_01005.Wdf -> [Ver = | Size = 0 bytes | Modified Date = 1/2/2008 4:03:00 PM | Attr = H ]
Msft_Kernel_motccgp_01005.Wdf -> %System32%\drivers\Msft_Kernel_motccgp_01005.Wdf -> [Ver = | Size = 0 bytes | Modified Date = 1/2/2008 4:02:59 PM | Attr = H ]
Msft_Kernel_motmodem_01005.Wdf -> %System32%\drivers\Msft_Kernel_motmodem_01005.Wdf -> [Ver = | Size = 0 bytes | Modified Date = 1/2/2008 4:03:09 PM | Attr = H ]
Msft_Kernel_motport_01005.Wdf -> %System32%\drivers\Msft_Kernel_motport_01005.Wdf -> [Ver = | Size = 0 bytes | Modified Date = 1/2/2008 4:03:15 PM | Attr = H ]
SSFS0BB9.sys -> %System32%\drivers\SSFS0BB9.sys -> Webroot Software Inc (www.webroot.com) [Ver = 3.5.6.114 | Size = 20336 bytes | Modified Date = 1/4/2008 8:34:34 PM | Attr = ]
sshrmd.sys -> %System32%\drivers\sshrmd.sys -> Webroot Software Inc (www.webroot.com) [Ver = 3.5.6.114 | Size = 21872 bytes | Modified Date = 1/4/2008 8:34:34 PM | Attr = ]
ssidrv.sys -> %System32%\drivers\ssidrv.sys -> Webroot Software Inc (www.webroot.com) [Ver = 3.5.6.114 | Size = 163696 bytes | Modified Date = 1/4/2008 8:34:34 PM | Attr = ]
sskbfd.sys -> %System32%\drivers\sskbfd.sys -> Webroot Software Inc (www.webroot.com) [Ver = 3.5.6.114 | Size = 23920 bytes | Modified Date = 1/4/2008 8:34:36 PM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 1/7/2008 11:40:09 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 1/20/2008 9:56:22 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 1/20/2008 9:57:49 PM | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 1/20/2008 3:28:37 PM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 1/2/2008 4:56:10 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 200936 bytes | Modified Date = 1/20/2008 4:45:27 PM | Attr = ]
lcqbssvi.ini -> %System32%\lcqbssvi.ini -> [Ver = | Size = 1043552 bytes | Modified Date = 1/8/2008 8:34:18 PM | Attr = HS]
lsdelete.exe -> %System32%\lsdelete.exe -> [Ver = | Size = 12632 bytes | Modified Date = 1/12/2008 4:21:44 PM | Attr = ]
Macromed -> %System32%\Macromed -> [Folder | Modified Date = 12/30/2007 9:17:32 PM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Modified Date = 1/19/2008 10:43:48 AM | Attr = ]
prutv.ini -> %System32%\prutv.ini -> [Ver = | Size = 1130 bytes | Modified Date = 1/20/2008 10:20:53 PM | Attr = HS]
prutv.ini2 -> %System32%\prutv.ini2 -> [Ver = | Size = 1130 bytes | Modified Date = 1/20/2008 10:19:32 PM | Attr = HS]
pyqtwoxl.dll -> %System32%\pyqtwoxl.dll -> [Ver = | Size = 163904 bytes | Modified Date = 1/19/2008 10:40:44 AM | Attr = ]
pyqtwoxl.dllbox -> %System32%\pyqtwoxl.dllbox -> [Ver = | Size = 22162 bytes | Modified Date = 1/20/2008 10:20:49 PM | Attr = HS]
Restore -> %System32%\Restore -> [Folder | Modified Date = 1/20/2008 9:46:14 PM | Attr = ]
ssiefr.EXE -> %System32%\ssiefr.EXE -> Webroot Software Inc (www.webroot.com) [Ver = 3.5.6.114 | Size = 16240 bytes | Modified Date = 1/4/2008 8:34:34 PM | Attr = ]
tkivrqvy.ini -> %System32%\tkivrqvy.ini -> [Ver = | Size = 1054962 bytes | Modified Date = 1/9/2008 3:12:10 AM | Attr = HS]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2176 bytes | Modified Date = 1/12/2008 8:46:19 PM | Attr = ]
vturp.dll -> %System32%\vturp.dll -> [Ver = | Size = 328192 bytes | Modified Date = 1/20/2008 6:32:47 PM | Attr = ]
vturp.exe -> %System32%\vturp.exe -> [Ver = | Size = 331776 bytes | Modified Date = 1/20/2008 9:57:49 PM | Attr = ]
windows -> %System32%\windows -> [Ver = | Size = 7168 bytes | Modified Date = 1/20/2008 10:18:29 PM | Attr = ]
wkfdwjjt.dll -> %System32%\wkfdwjjt.dll -> [Ver = | Size = 79936 bytes | Modified Date = 1/9/2008 12:18:17 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 1/20/2008 4:26:39 PM | Attr = ]
WRLogonNtf.dll -> %System32%\WRLogonNtf.dll -> Webroot Software, Inc. [Ver = 3,5,6,114 | Size = 219504 bytes | Modified Date = 1/4/2008 8:34:36 PM | Attr = ]
wrlzma.dll -> %System32%\wrlzma.dll -> [Ver = | Size = 26480 bytes | Modified Date = 1/4/2008 8:34:36 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 1/8/2008 11:52:35 PM | Attr = H ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 1/20/2008 12:46:34 PM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 1/20/2008 9:57:19 PM | Attr = S]
cookies.ini -> %SystemRoot%\cookies.ini -> [Ver = | Size = 1858 bytes | Modified Date = 1/12/2008 11:34:21 PM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 1/20/2008 4:14:23 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 1/20/2008 4:24:16 PM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 1/20/2008 12:46:19 PM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 1/1/2008 12:07:23 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 1/20/2008 9:33:45 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 1/20/2008 10:15:01 PM | Attr = HS]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 1/20/2008 4:14:23 PM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 376 bytes | Modified Date = 12/31/2007 1:36:57 PM | Attr = ]
PIF -> %SystemRoot%\PIF -> [Folder | Modified Date = 1/14/2008 11:07:48 PM | Attr = H ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 1/20/2008 10:19:06 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 1/11/2008 12:48:04 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 1/15/2008 12:21:20 AM | Attr = H ]
randseed.rnd -> %SystemRoot%\randseed.rnd -> [Ver = | Size = 512 bytes | Modified Date = 1/12/2008 6:41:43 PM | Attr = ]
SHELLNEW -> %SystemRoot%\SHELLNEW -> [Folder | Modified Date = 1/20/2008 12:46:00 PM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 1/13/2008 2:29:13 AM | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 12/31/2007 1:29:10 PM | Attr = ]
SYSTEM.INI -> %SystemRoot%\SYSTEM.INI -> [Ver = | Size = 227 bytes | Modified Date = 1/20/2008 9:30:07 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 1/20/2008 10:18:29 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 1/19/2008 9:33:35 PM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 1/20/2008 9:58:17 PM | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 1/7/2008 11:32:53 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 594 bytes | Modified Date = 1/20/2008 9:30:07 PM | Attr = ]
WININIT.INI -> %SystemRoot%\WININIT.INI -> [Ver = | Size = 362 bytes | Modified Date = 1/13/2008 2:10:13 PM | Attr = ]
WRSetup.dll -> %SystemRoot%\WRSetup.dll -> Webroot Software, Inc. [Ver = 5,5,7,124 | Size = 1526640 bytes | Modified Date = 1/4/2008 8:56:58 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 1/20/2008 9:57:56 PM | Attr = H ]
wrSpySweeperTrialSweep.job -> %SystemRoot%\tasks\wrSpySweeperTrialSweep.job -> [Ver = | Size = 1572 bytes | Modified Date = 1/19/2008 9:33:36 PM | Attr = ]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
BVRP Software -> %AllUsersAppData%\BVRP Software -> [Folder | Modified Date = 1/20/2008 10:01:12 PM | Attr = ]
ezsid.dat -> %AllUsersAppData%\ezsid.dat -> [Ver = | Size = 32 bytes | Modified Date = 1/7/2008 11:35:41 AM | Attr = ]
Lavasoft -> %AllUsersAppData%\Lavasoft -> [Folder | Modified Date = 1/12/2008 4:22:08 PM | Attr = ]
LogiShrd -> %AllUsersAppData%\LogiShrd -> [Folder | Modified Date = 1/7/2008 11:35:28 AM | Attr = ]
Logitech -> %AllUsersAppData%\Logitech -> [Folder | Modified Date = 1/7/2008 11:35:20 AM | Attr = ]
Microsoft -> %AllUsersAppData%\Microsoft -> [Folder | Modified Date = 1/20/2008 10:00:49 PM | Attr = ]
Skype -> %AllUsersAppData%\Skype -> [Folder | Modified Date = 1/7/2008 11:31:30 AM | Attr = ]
Spybot - Search & Destroy -> %AllUsersAppData%\Spybot - Search & Destroy -> [Folder | Modified Date = 1/13/2008 11:12:11 AM | Attr = ]
TEMP -> %AllUsersAppData%\TEMP -> [Folder | Modified Date = 1/17/2008 4:16:58 PM | Attr = ]
@Alternate Data Stream - 118 bytes -> %AllUsersAppData%\TEMP:0E799D7F
@Alternate Data Stream - 112 bytes -> %AllUsersAppData%\TEMP:5A823589
Webroot -> %AllUsersAppData%\Webroot -> [Folder | Modified Date = 1/19/2008 9:33:23 PM | Attr = ]
Windows Genuine Advantage -> %AllUsersAppData%\Windows Genuine Advantage -> [Folder | Modified Date = 1/13/2008 2:31:17 AM | Attr = ]
DivX -> %UserAppData%\DivX -> [Folder | Modified Date = 12/23/2007 10:19:46 AM | Attr = ]
ESTsoft -> %UserAppData%\ESTsoft -> [Folder | Modified Date = 1/12/2008 7:06:24 PM | Attr = ]
LimeWire -> %UserAppData%\LimeWire -> [Folder | Modified Date = 1/5/2008 12:05:31 PM | Attr = ]
Macromedia -> %UserAppData%\Macromedia -> [Folder | Modified Date = 12/30/2007 9:12:19 PM | Attr = ]
Skype -> %UserAppData%\Skype -> [Folder | Modified Date = 1/9/2008 3:08:58 AM | Attr = ]
skypePM -> %UserAppData%\skypePM -> [Folder | Modified Date = 1/8/2008 4:05:42 PM | Attr = ]
uTorrent -> %UserAppData%\uTorrent -> [Folder | Modified Date = 1/4/2008 12:40:12 PM | Attr = ]
Webroot -> %UserAppData%\Webroot -> [Folder | Modified Date = 1/19/2008 9:33:23 PM | Attr = ]
Yahoo! -> %UserAppData%\Yahoo! -> [Folder | Modified Date = 1/16/2008 12:57:33 PM | Attr = ]
BVRP Software -> %LocalAppData%\BVRP Software -> [Folder | Modified Date = 1/2/2008 11:47:58 PM | Attr = ]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %LocalAppData%\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [Ver = | Size = 5632 bytes | Modified Date = 1/1/2008 1:34:08 AM | Attr = ]
GDIPFONTCACHEV1.DAT -> %LocalAppData%\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 32680 bytes | Modified Date = 1/20/2008 4:22:33 PM | Attr = ]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 4315590 bytes | Modified Date = 1/13/2008 1:27:31 PM | Attr = H ]
Microsoft -> %LocalAppData%\Microsoft -> [Folder | Modified Date = 1/20/2008 12:46:25 PM | Attr = ]
Downloads -> %UserDocuments%\Downloads -> [Folder | Modified Date = 12/31/2007 12:36:53 PM | Attr = ]
My Pictures -> %UserDocuments%\My Pictures -> [Folder | Modified Date = 1/7/2008 11:37:52 AM | Attr = R ]
My Videos -> %UserDocuments%\My Videos -> [Folder | Modified Date = 12/23/2007 10:19:04 AM | Attr = R ]
pos212.tmp -> %UserDocuments%\pos212.tmp -> [Ver = | Size = 8033 bytes | Modified Date = 1/20/2008 9:59:20 PM | Attr = ]
pos213.tmp -> %UserDocuments%\pos213.tmp -> [Ver = | Size = 11033 bytes | Modified Date = 1/20/2008 9:59:20 PM | Attr = ]
pos404.tmp -> %UserDocuments%\pos404.tmp -> [Ver = | Size = 13033 bytes | Modified Date = 1/20/2008 9:59:37 PM | Attr = ]
pos405.tmp -> %UserDocuments%\pos405.tmp -> [Ver = | Size = 13033 bytes | Modified Date = 1/20/2008 9:59:37 PM | Attr = ]
Ad-Aware 2007.lnk -> %AllUsersDesktop%\Ad-Aware 2007.lnk -> [Ver = | Size = 1798 bytes | Modified Date = 1/12/2008 4:19:23 PM | Attr = ]
DivX Player.lnk -> %AllUsersDesktop%\DivX Player.lnk -> [Ver = | Size = 803 bytes | Modified Date = 12/23/2007 10:19:14 AM | Attr = ]
Logitech QuickCam.lnk -> %AllUsersDesktop%\Logitech QuickCam.lnk -> [Ver = | Size = 1789 bytes | Modified Date = 1/7/2008 11:38:05 AM | Attr = ]
Motorola Phone Tools.lnk -> %AllUsersDesktop%\Motorola Phone Tools.lnk -> [Ver = | Size = 1685 bytes | Modified Date = 1/2/2008 11:44:18 PM | Attr = ]
Skype.lnk -> %AllUsersDesktop%\Skype.lnk -> [Ver = | Size = 2257 bytes | Modified Date = 1/8/2008 5:58:20 PM | Attr = ]
Spy Sweeper.lnk -> %AllUsersDesktop%\Spy Sweeper.lnk -> [Ver = | Size = 1649 bytes | Modified Date = 1/19/2008 11:34:39 PM | Attr = ]
Thumbs.db -> %AllUsersDesktop%\Thumbs.db -> [Ver = | Size = 6144 bytes | Modified Date = 1/12/2008 6:48:59 PM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %AllUsersDesktop%\Thumbs.db:encryptable
CCleaner.lnk -> %UserDesktop%\CCleaner.lnk -> [Ver = | Size = 1556 bytes | Modified Date = 1/20/2008 4:10:42 PM | Attr = ]
Help and Support Center.lnk -> %UserDesktop%\Help and Support Center.lnk -> [Ver = | Size = 1942 bytes | Modified Date = 1/20/2008 9:58:40 PM | Attr = ]
HijackThis.lnk -> %UserDesktop%\HijackThis.lnk -> [Ver = | Size = 1742 bytes | Modified Date = 1/14/2008 1:15:13 AM | Attr = ]
Music.lnk -> %UserDesktop%\Music.lnk -> [Ver = | Size = 1189 bytes | Modified Date = 1/1/2008 1:12:55 AM | Attr = ]
Spybot - Search & Destroy.lnk -> %UserDesktop%\Spybot - Search & Destroy.lnk -> [Ver = | Size = 941 bytes | Modified Date = 1/13/2008 11:07:13 AM | Attr = ]
Thumbs.db -> %UserDesktop%\Thumbs.db -> [Ver = | Size = 6144 bytes | Modified Date = 1/20/2008 5:10:26 PM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %UserDesktop%\Thumbs.db:encryptable
VundoFix.exe -> %UserDesktop%\VundoFix.exe -> Atribune.org [Ver = 6.07.0007 | Size = 132608 bytes | Modified Date = 1/4/2008 12:25:52 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\VundoFix.exe:Zone.Identifier
Windows Update.lnk -> %UserDesktop%\Windows Update.lnk -> [Ver = | Size = 1936 bytes | Modified Date = 1/20/2008 9:58:47 PM | Attr = ]
WinPFind35u -> %UserDesktop%\WinPFind35u -> [Folder | Modified Date = 1/20/2008 10:18:10 PM | Attr = ]
WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe -> [Ver = | Size = 476936 bytes | Modified Date = 1/20/2008 10:17:52 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\WinPFind35u.exe:Zone.Identifier
Cisco Systems -> %CommonProgramFiles%\Cisco Systems -> [Folder | Modified Date = 12/31/2007 12:42:07 PM | Attr = ]
Logishrd -> %CommonProgramFiles%\Logishrd -> [Folder | Modified Date = 1/7/2008 11:36:58 AM | Attr = ]
Microsoft Shared -> %CommonProgramFiles%\Microsoft Shared -> [Folder | Modified Date = 1/20/2008 12:46:25 PM | Attr = ]
Motorola Shared -> %CommonProgramFiles%\Motorola Shared -> [Folder | Modified Date = 1/2/2008 4:01:36 PM | Attr = ]
Network Associates -> %CommonProgramFiles%\Network Associates -> [Folder | Modified Date = 1/13/2008 2:00:13 AM | Attr = ]
Scanner -> %CommonProgramFiles%\Scanner -> [Folder | Modified Date = 12/31/2007 1:21:57 PM | Attr = ]
Skype -> %CommonProgramFiles%\Skype -> [Folder | Modified Date = 1/7/2008 11:31:26 AM | Attr = ]
System -> %CommonProgramFiles%\System -> [Folder | Modified Date = 1/20/2008 12:46:19 PM | Attr = ]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard -> [Folder | Modified Date = 1/12/2008 4:18:01 PM | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 4617 bytes | Modified Date = 1/20/2008 9:33:39 PM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 4232 bytes | Modified Date = 1/20/2008 9:33:39 PM | Attr = ]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\data.dat -> [Ver = | Size = 3804 bytes | Modified Date = 12/31/2007 1:57:59 PM | Attr = ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [Ver = | Size = 8282 bytes | Modified Date = 11/26/2007 9:25:43 AM | Attr = ]
CalMRU.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\CalMRU.dat -> [Ver = | Size = 780 bytes | Modified Date = 3/21/2006 1:21:44 PM | Attr = ]
wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat -> [Ver = | Size = 16384 bytes | Modified Date = 12/25/2005 5:57:03 PM | Attr = ]

< End of report >

Edited by OldTimer, 21 January 2008 - 10:59 PM.


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:59 AM

Posted 21 January 2008 - 01:14 AM

Hi russmcs. Yeah, that looks a bit messy. Let's see if we can clean it up a bit. Start by printing these directions so they will be available when we boot into Safe Mode.


1. Open Notepad and copy/paste the text in the codebox below into the new document:

[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YY -> (DomainService) DomainService [Win32_Own | Disabled | Stopped] -> %System32%\rxlyxxxg.exe
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {00DC0058-A87E-4D19-9C26-F1AAC98AD4D7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> pyqtwoxl -> %System32%\pyqtwoxl.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {7eb6b686-caf4-41e5-977f-1d55fc222651} [HKEY_LOCAL_MACHINE] -> %System32%\micwvwhq.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {A95B2816-1D7E-4561-A202-68C0DE02353A} [HKEY_LOCAL_MACHINE] -> %System32%\pyqtwoxl.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {BE8C29EB-A154-4DC3-8908-7A697363890D} [HKEY_LOCAL_MACHINE] -> %System32%\vturp.dll [Reg Error: Value  does not exist or could not be read.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\rxlyxxxg.exe -> C:\WINDOWS\system32\rxl
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YY -> c0bb96d6 hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %System32%\pkualfgo.DLL
YY -> Load hkey=HKCU key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> %System32%\vturp.exe
[Files/Folders - Created Within 30 days]
YY -> lcqbssvi.ini -> %System32%\lcqbssvi.ini
YY -> mcrh.tmp -> %System32%\mcrh.tmp
YY -> prutv.ini -> %System32%\prutv.ini
YY -> prutv.ini2 -> %System32%\prutv.ini2
YY -> pyqtwoxl.dll -> %System32%\pyqtwoxl.dll
YY -> pyqtwoxl.dllbox -> %System32%\pyqtwoxl.dllbox
YY -> tkivrqvy.ini -> %System32%\tkivrqvy.ini
YY -> tmp.reg -> %System32%\tmp.reg
YY -> vturp.dll -> %System32%\vturp.dll
YY -> vturp.exe -> %System32%\vturp.exe
YY -> wkfdwjjt.dll -> %System32%\wkfdwjjt.dll
YY -> wrlzma.dll -> %System32%\wrlzma.dll
[Files/Folders - Modified Within 30 days]
YY -> tmsshf.bin -> %System32%\drivers\etc\tmsshf.bin
YY -> mcrh.tmp -> %System32%\mcrh.tmp
YY -> prutv.ini -> %System32%\prutv.ini
YY -> prutv.ini2 -> %System32%\prutv.ini2
YY -> pyqtwoxl.dll -> %System32%\pyqtwoxl.dll
YY -> pyqtwoxl.dllbox -> %System32%\pyqtwoxl.dllbox
YY -> tkivrqvy.ini -> %System32%\tkivrqvy.ini
YY -> tmp.reg -> %System32%\tmp.reg
YY -> vturp.dll -> %System32%\vturp.dll
YY -> vturp.exe -> %System32%\vturp.exe
YY -> wkfdwjjt.dll -> %System32%\wkfdwjjt.dll
YY -> wrlzma.dll -> %System32%\wrlzma.dll
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
YY -> @Alternate Data Stream - 118 bytes -> %AllUsersAppData%\TEMP:0E799D7F
YY -> @Alternate Data Stream - 112 bytes -> %AllUsersAppData%\TEMP:5A823589
YY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
YY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Extra Files]
c:\*.tmp
%UserProfile%\My Documents\*.tmp
c:\windows\temp\*.tmp
[Empty Temp Folders]
[Start Explorer]

Save the document to your desktop as wpf35fix.txt and close Notepad.


2. download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
3. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\windows\system32\pyqtwoxl.dll
c:\windows\system32\micwvwhq.dll
c:\windows\system32\pyqtwoxl.dll
c:\windows\system32\vturp.dll
c:\windows\system32\pkualfgo.DLL
c:\windows\system32\lcqbssvi.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\prutv.ini
c:\windows\system32\prutv.ini2
c:\windows\system32\pyqtwoxl.dllbox
c:\windows\system32\tkivrqvy.ini
c:\windows\system32\tmp.reg
c:\windows\system32\vturp.exe
c:\windows\system32\wkfdwjjt.dll
c:\windows\system32\wrlzma.dll
c:\windows\system32\drivers\etc\tmsshf.bin
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pyqtwoxl
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7eb6b686-caf4-41e5-977f-1d55fc222651}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE8C29EB-A154-4DC3-8908-7A697363890D}

registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {00DC0058-A87E-4D19-9C26-F1AAC98AD4D7}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


4. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh WinPFind35u log by using Add/Reply

5. Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
6. Once in Safe Mode start WinPFind35U. Open the wpf35.txt file you created earlier with NotePad and Copy/Paste the information from the file into the pane where it says "Paste fix here" and then click the Run Fix button.

The fix should only take a very short time. Your desktop will disappear and then reappear when the fix is complete, this is normal. You might be asked to reboot if any of the files could not be moved during the fix. If so, choose No at this time.

7. Run a new WinPFind35u scan with the following options:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
  • In the Driver Services section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
8. Reboot normally and post the following back here:
  • the new WinPFind35U report
  • the Avenger report (c:\Avenger.txt))
  • the latest .log file from the WinPFind35u/MovedFiles folder (it will be a .log file and have a date_time name in the format mmddyyyy_hhmmss.log)
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 21 January 2008 - 01:48 AM

i have tried to run avenger with the script provided 3 times.

1st time when asked "are you sure you want to execute the commands in the selected script" I clicked "yes" and the program shut down...nothing happened.

2nd attempt was exactly the same as the first.

3rd attempt I clicked "Yes" to the above prompt. The icons disappeared for a few moments, then came back in a slightly different order...but thats it. No reboot, no logfile (although I do have an "Avenger" folder @ c:\avenger).

Am I supposed to reboot myself at this point?

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:59 AM

Posted 21 January 2008 - 01:56 AM

Hi russmcs. Try it from Safe Mode.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 21 January 2008 - 02:59 AM

Ran Avenger in safe mode. It rebooted to normal mode, command box opened, ran script. A few errors popped up that files were missing.

Rebooted to safe mode, opened WinPFind35U, added txt file as instructed. I ran for a minute then became non responsive. No icons showing. Rebooted again to obtain WinPFind35U log mode in safe mode, it kept becoming non responsive. Rebooted to normal mode, and have new log.

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kcsfbyht

*******************

Script file located at: \??\C:\WINDOWS\system32\idjaerpk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\system32\pyqtwoxl.dll deleted successfully.


File c:\windows\system32\micwvwhq.dll not found!
Deletion of file c:\windows\system32\micwvwhq.dll failed!

Could not process line:
c:\windows\system32\micwvwhq.dll
Status: 0xc0000034



File c:\windows\system32\pyqtwoxl.dll not found!
Deletion of file c:\windows\system32\pyqtwoxl.dll failed!

Could not process line:
c:\windows\system32\pyqtwoxl.dll
Status: 0xc0000034

File c:\windows\system32\vturp.dll deleted successfully.


File c:\windows\system32\pkualfgo.DLL not found!
Deletion of file c:\windows\system32\pkualfgo.DLL failed!

Could not process line:
c:\windows\system32\pkualfgo.DLL
Status: 0xc0000034

File c:\windows\system32\lcqbssvi.ini deleted successfully.
File c:\windows\system32\mcrh.tmp deleted successfully.
File c:\windows\system32\prutv.ini deleted successfully.
File c:\windows\system32\prutv.ini2 deleted successfully.
File c:\windows\system32\pyqtwoxl.dllbox deleted successfully.
File c:\windows\system32\tkivrqvy.ini deleted successfully.
File c:\windows\system32\tmp.reg deleted successfully.
File c:\windows\system32\vturp.exe deleted successfully.
File c:\windows\system32\wkfdwjjt.dll deleted successfully.
File c:\windows\system32\wrlzma.dll deleted successfully.
File c:\windows\system32\drivers\etc\tmsshf.bin deleted successfully.
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat deleted successfully.
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pyqtwoxl deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7eb6b686-caf4-41e5-977f-1d55fc222651} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE8C29EB-A154-4DC3-8908-7A697363890D} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE8C29EB-A154-4DC3-8908-7A697363890D} failed!
Status: 0xc0000034

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{00DC0058-A87E-4D19-9C26-F1AAC98AD4D7} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here is the WinPFind35U log.

You asked about other issues...possibly related.

I have 2 icons on desktop that both point to a storageprotector website. 1 is "help" and other is "windows update". Both look like MS icons.
There is a red "X" over my c: drive that looks like the "delete" icon in explorer toolbar.
I have lost the ability to run msconfig from the run menu. I have to manually go to it and double click.

Edited by OldTimer, 21 January 2008 - 11:00 PM.


#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:59 AM

Posted 21 January 2008 - 03:09 PM

Hi russmcs. Yup, you have the bad one. This variant of Vundo infects many legitimate files and applications. Start organizing your installation CD's because it is almost certain that some of the applications will need to be reinstalled.

Let's see if we can knock this thing around a bit.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 21 January 2008 - 04:47 PM

i seem to be stalled deleting temp files. Has deleted about 40-50 temp files and stalled. should I close and restart combofix or what? Spysweeper in the task manager "spysweeper.exe" will not close under any circumstances.

BTW, Im typing all this on my laptop as to not interfere with running processes on pc.

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:59 AM

Posted 21 January 2008 - 08:21 PM

Hi russmcs. Yeah, there a bug in the temp delete routine. Go ahead and stop it manually (just click the 'X' in the upper righthand corner and it should stop). Then delete that download and WinPFind35u folder and download the latest version.

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Then, start the new WinPFind35u and run the fix again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 21 January 2008 - 10:38 PM

Ran WinPFind35U.exe fix from safe mode. It completed, requested reboot, then booted normally. Here is the log.

#14 russmcs

russmcs
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 21 January 2008 - 10:41 PM

Im out of upload size, and it is entirely too huge to copy/paste. Is there another way for me to get the log to you? Or can previous attachments be deleted?

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:59 AM

Posted 21 January 2008 - 11:02 PM

Hi russmcs. I deleted the previous 2 attachments and took a bunch of lines out of the posted report that just showed all the .tmp files.

You should be able to attach your latest log now.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users