Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection - Please Help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 monkee007

monkee007

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 28 January 2008 - 10:29 AM

Hi, I've got an infection on a computer that is resulting in numerous pop-ups when Mozilla is opened. Can anyone offer any assistance? I've tried numerous fixes to no avail. Here is the most recent hijackthis log I've run (and thanks!):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:37 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\room4\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uky.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.uky.edu/");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.uky.edu");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.toolbars.showbutton.AimPT", false);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("timebomb.first_launch_time", "1096062161546000");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\ROOM4\Application Data\Mozilla\Profiles\default\ka7l8wfp.slt\prefs.js)
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.uky.edu/");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.uky.edu");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.toolbars.showbutton.AimPT", false);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("timebomb.first_launch_time", "1096062161546000");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\ROOM4\Application Data\Mozilla\Profiles\default\ka7l8wfp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {C900F3A4-DAE6-4DBF-A5AE-56723C033F77} - C:\WINDOWS\system32\cdfvie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [A00F33A8EA.exe] C:\DOCUME~1\room4\LOCALS~1\Temp\_A00F33A8EA.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{65EA419B-142D-4593-A79F-2624CB7C9FAA}: NameServer = 128.163.3.10,128.163.1.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{65EA419B-142D-4593-A79F-2624CB7C9FAA}: NameServer = 128.163.3.10,128.163.1.6
O20 - Winlogon Notify: __c0018D8 - C:\WINDOWS\system32\__c0018D8.dat (file missing)
O20 - Winlogon Notify: __c002103C - C:\WINDOWS\system32\__c002103C.dat (file missing)
O20 - Winlogon Notify: __c00257A - C:\WINDOWS\system32\__c00257A.dat (file missing)
O20 - Winlogon Notify: __c0026425 - C:\WINDOWS\system32\__c0026425.dat (file missing)
O20 - Winlogon Notify: __c002D884 - C:\WINDOWS\system32\__c002D884.dat (file missing)
O20 - Winlogon Notify: __c0037033 - C:\WINDOWS\system32\__c0037033.dat (file missing)
O20 - Winlogon Notify: __c003DB74 - C:\WINDOWS\system32\__c003DB74.dat (file missing)
O20 - Winlogon Notify: __c0050986 - C:\WINDOWS\system32\__c0050986.dat (file missing)
O20 - Winlogon Notify: __c0054DD5 - C:\WINDOWS\system32\__c0054DD5.dat (file missing)
O20 - Winlogon Notify: __c00596C4 - C:\WINDOWS\system32\__c00596C4.dat (file missing)
O20 - Winlogon Notify: __c007342C - C:\WINDOWS\system32\__c007342C.dat (file missing)
O20 - Winlogon Notify: __c007E741 - C:\WINDOWS\system32\__c007E741.dat (file missing)
O20 - Winlogon Notify: __c007E888 - C:\WINDOWS\system32\__c007E888.dat (file missing)
O20 - Winlogon Notify: __c0081677 - C:\WINDOWS\system32\__c0081677.dat (file missing)
O20 - Winlogon Notify: __c00853A4 - C:\WINDOWS\system32\__c00853A4.dat (file missing)
O20 - Winlogon Notify: __c0090BC4 - C:\WINDOWS\system32\__c0090BC4.dat (file missing)
O20 - Winlogon Notify: __c0094601 - C:\WINDOWS\system32\__c0094601.dat (file missing)
O20 - Winlogon Notify: __c00AEE40 - C:\WINDOWS\system32\__c00AEE40.dat (file missing)
O20 - Winlogon Notify: __c00AF644 - C:\WINDOWS\system32\__c00AF644.dat (file missing)
O20 - Winlogon Notify: __c00B00D4 - C:\WINDOWS\system32\__c00B00D4.dat (file missing)
O20 - Winlogon Notify: __c00C0900 - C:\WINDOWS\system32\__c00C0900.dat (file missing)
O20 - Winlogon Notify: __c00C0FC7 - C:\WINDOWS\system32\__c00C0FC7.dat
O20 - Winlogon Notify: __c00C3676 - C:\WINDOWS\system32\__c00C3676.dat (file missing)
O20 - Winlogon Notify: __c00C6132 - C:\WINDOWS\system32\__c00C6132.dat (file missing)
O20 - Winlogon Notify: __c00D44A4 - C:\WINDOWS\system32\__c00D44A4.dat (file missing)
O20 - Winlogon Notify: __c00D51DA - C:\WINDOWS\system32\__c00D51DA.dat (file missing)
O20 - Winlogon Notify: __c00DF132 - C:\WINDOWS\system32\__c00DF132.dat (file missing)
O20 - Winlogon Notify: __c00E33C4 - C:\WINDOWS\system32\__c00E33C4.dat (file missing)
O20 - Winlogon Notify: __c00E6996 - C:\WINDOWS\system32\__c00E6996.dat (file missing)
O20 - Winlogon Notify: __c00F66B2 - C:\WINDOWS\system32\__c00F66B2.dat (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/room4/LOCALS~1/Temp/msohtml1/02/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/room4/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg

--
End of file - 10458 bytes

BC AdBot (Login to Remove)

 


#2 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:04:08 PM

Posted 08 February 2008 - 02:06 AM

Hi monkee007,

I'm sorry it's taken so long for you to get a response, if you still need help please do as follows:

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply
Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
Teacher at Malware Removal University | ASAP & UNITE Member

#3 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:04:08 PM

Posted 11 February 2008 - 08:17 PM

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.
Teacher at Malware Removal University | ASAP & UNITE Member

#4 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:04:08 PM

Posted 14 February 2008 - 07:47 PM

Due to lack of response, this thread will now be closed.

If you are the topic starter and would like this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic.
Teacher at Malware Removal University | ASAP & UNITE Member




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users