Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware Vundo Varient


  • Please log in to reply
8 replies to this topic

#1 sparkey

sparkey

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 21 August 2008 - 08:42 AM

hello

I have a fairly old pc with windows xp that is infected with about 100 or more viruses and adware. I have installed superantispyware which quarrantined some of them, i also installed spyware terminator which didnt pick up on much but came accross some unknown threats.
i have also installed avira free anti virus which has also quarrantined some of the infections.

i tried vundo fix which crashed on the scan and i am sure it put a virus on my pc as well i also tried smitfraud but hasnt seem to have helped much.

I am unsure of how to proceed with this my nex step is to install a firewall. I also tried to update by windows update but for some reasons it wouldnt let me install the updates.

I get various messages such as low memory space, programs crashing especially protection software, also sometimes the taskbar vanishes and things freezing up.

i have luckly been able to scan in safe mode though,

the viruses are adware vundo varient installer
trojan downloader
trojan vundo
tmp25.tmp
and various others


Can anyone help?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 21 August 2008 - 08:48 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sparkey

sparkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 21 August 2008 - 01:27 PM

hello

I did what was suggested with malwarebytes anti malware here is the results of the log

Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600

6:31:33 PM 8/21/2008
mbam-log-08-21-2008 (18-31-19).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 38936
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM346f27d7.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM346f27d7.txt (Trojan.Vundo) -> No action taken.

hope this helps.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 21 August 2008 - 01:33 PM

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead just click "Save Logfile". Please review these instructions (scroll down), rescan again (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing a new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sparkey

sparkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 21 August 2008 - 01:44 PM

hi

oh sorry posted wrong log here it is

Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600

6:31:52 PM 8/21/2008
mbam-log-08-21-2008 (18-31-52).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 38936
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM346f27d7.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM346f27d7.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 sparkey

sparkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 21 August 2008 - 01:45 PM

i still have viruses though but not sure what else i can do :thumbsup:

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 21 August 2008 - 02:03 PM

i still have viruses though

What program is alerting you to them?
Did the program provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 sparkey

sparkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 23 August 2008 - 06:03 AM

superantispyware alerted me to them and also avira antivirus. You asked for the full path this is tricky as i have so many viruses so i have put the avira log here for you to see .

Avira AntiVir Personal
Report file date: Thursday, August 21, 2008 11:27

Scanning for 1369550 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (plain) [5.1.2600]
Boot mode: Save mode
Username: alistair
Computer name: ALISTAIR-T6AV3W

Version information:
BUILD.DAT : 8.1.0.326 16933 Bytes 7/11/2008 12:57:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 09:57:54
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 08:56:42
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 13:44:20
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 08:58:54
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 11:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 14:54:16
ANTIVIR2.VDF : 7.0.5.20 142336 Bytes 6/30/2008 06:20:54
ANTIVIR3.VDF : 7.0.5.23 17408 Bytes 6/30/2008 10:24:48
Engineversion : 8.1.1.6
AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 09:46:52
AESCRIPT.DLL : 8.1.0.46 283002 Bytes 7/8/2008 07:33:30
AESCN.DLL : 8.1.0.22 119157 Bytes 7/9/2008 09:46:52
AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 09:46:52
AEPACK.DLL : 8.1.1.6 364918 Bytes 7/9/2008 09:46:52
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 7/9/2008 09:46:52
AEHEUR.DLL : 8.1.0.35 1298806 Bytes 7/8/2008 07:33:30
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 09:46:52
AEGEN.DLL : 8.1.0.29 307573 Bytes 7/9/2008 09:46:52
AEEMU.DLL : 8.1.0.6 430451 Bytes 7/9/2008 09:46:52
AECORE.DLL : 8.1.1.3 172404 Bytes 7/9/2008 09:46:52
AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 09:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 09:40:06
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 10:28:02
AVREP.DLL : 7.0.0.1 155688 Bytes 6/30/2008 15:35:22
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 12:26:42
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 09:29:24
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 13:27:50
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 18:28:04
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 13:49:42
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 13:05:12
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 14:48:08
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 14:34:38

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, August 21, 2008 11:27

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
10 processes with 10 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\qiutoeyy.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '492243a7.qua'!

The registry was scanned ( '43' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\rapport.txt
[DETECTION] Is the TR/Qhost.AA Trojan
[NOTE] The file was moved to '491d43a5.qua'!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\hosts
[DETECTION] Is the TR/Qhost.AA Trojan
[NOTE] The file was moved to '492043b6.qua'!
C:\WINDOWS\system32\ivdocqov.exe
[DETECTION] Is the TR/VB.NLA Trojan
[NOTE] The file was moved to '4911441d.qua'!
C:\WINDOWS\system32\cehmpcpr.exe
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49154429.qua'!
C:\WINDOWS\system32\xjkyvcrd.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4918442f.qua'!
C:\WINDOWS\system32\lyflbl.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4913443f.qua'!
C:\WINDOWS\system32\drivers\hosts
[DETECTION] Is the TR/Qhost.AA Trojan
[NOTE] The file was moved to '4920443d.qua'!
C:\WINDOWS\system\del.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '49194506.qua'!
C:\WINDOWS\system\delnew.exe
[DETECTION] Is the TR/Agent.ZZZ.7552 Trojan
[NOTE] The file was moved to '49194507.qua'!
C:\WINDOWS\system\run.exe
[DETECTION] Contains HEUR/Crypted suspicious code
[NOTE] The file was moved to '491b4518.qua'!
C:\WINDOWS\system\nadlocop .exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49114506.qua'!
C:\Documents and Settings\alistair\Desktop\rapport1.txt
[DETECTION] Is the TR/Qhost.AA Trojan
[NOTE] The file was moved to '491d46fe.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024800.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd4728.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024805.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd472d.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024808.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd4732.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024809.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd4736.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024810.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd473a.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024823.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd4740.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024824.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd4744.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024827.EXE
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd4748.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024895.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd4752.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP33\A0024916.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd4754.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP34\A0024934.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd4756.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP34\A0024942.exe
[DETECTION] Is the TR/Agent.3076.1 Trojan
[NOTE] The file was moved to '48dd4757.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP35\A0025042.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd4760.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0025055.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd4762.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0027069.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd4799.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029740.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd47bb.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029765.exe
[DETECTION] Is the TR/Agent.3076.1 Trojan
[NOTE] The file was moved to '48dd47bf.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029798.old
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd47c7.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030896.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47ca.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029806.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '482697db.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029807.dll
[DETECTION] Is the TR/Obfuscated.auw Trojan
[NOTE] The file was moved to '48dd47cb.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029809.old
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd47cc.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030897.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47ce.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030898.exe
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd47d0.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030884.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47d8.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030885.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47d9.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030886.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '482697ca.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030887.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47db.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030888.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47da.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030889.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '482697cb.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030890.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '482697cc.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030891.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47dd.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030892.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '482697ce.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030893.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47dc.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030894.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '482697cd.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030895.DLL
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48dd47de.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030902.EXE
[DETECTION] Is the TR/Vundo.DWK Trojan
[NOTE] The file was moved to '48dd47df.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030903.exe
[DETECTION] Is the TR/Drop.Agent.dgo.221 Trojan
[NOTE] The file was moved to '482697f0.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030904.EXE
[DETECTION] Contains recognition pattern of the WORM/SdBot.30720.26 worm
[NOTE] The file was moved to '482697cf.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030920.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd47e1.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030921.exe
[DETECTION] Is the TR/VB.NLA Trojan
[NOTE] The file was moved to '48dd47e0.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030922.exe
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '482697f1.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030923.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dd47e2.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030924.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '482697f2.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030925.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '48dd47e3.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030926.exe
[DETECTION] Is the TR/Agent.ZZZ.7552 Trojan
[NOTE] The file was moved to '482697f4.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030927.exe
[DETECTION] Contains HEUR/Crypted suspicious code
[NOTE] The file was moved to '48dd47e5.qua'!
C:\System Volume Information\_restore{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030928.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '482697f6.qua'!
C:\VundoFix Backups\khfdawx.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4913481d.qua'!
C:\VundoFix Backups\ljjjihe.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4917481f.qua'!
C:\VundoFix Backups\pmnmkkh.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '491b4822.qua'!
C:\VundoFix Backups\ssqqqnl.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '491e4829.qua'!
C:\Recycled\Dc1.exe
[DETECTION] Is the TR/Agent.3076.1 Trojan
[NOTE] The file was moved to '48de4849.qua'!


End of the scan: Thursday, August 21, 2008 11:48
Used time: 21:37 Minute(s)

The scan has been done completely.

815 Scanning directories
33706 Files were scanned
64 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
66 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
33639 Files not concerned
349 Archives were scanned
1 Warnings
66 Notes

as you can see there are quite a few they are quarrantned a the moment but i would like to remove them but not sure how.

i have also attached a superantispyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/21/2008 at 02:55 AM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:39:22

Memory items scanned : 159
Memory threats detected : 3
Registry items scanned : 2852
Registry threats detected : 30
File items scanned : 6655
File threats detected : 133

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\KHFFGEF.DLL
C:\WINDOWS\SYSTEM32\KHFFGEF.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\khffgef
C:\WINDOWS\SYSTEM32\YAYABAB.DLL
C:\WINDOWS\SYSTEM32\VTURPMN.DLL
C:\WINDOWS\SYSTEM32\CBXWTQO.DLL
C:\WINDOWS\SYSTEM32\GEBXWUT.DLL
C:\WINDOWS\SYSTEM32\URQQNKI.DLL
C:\WINDOWS\SYSTEM32\DDCYXWW.DLL
C:\WINDOWS\SYSTEM32\HGGHIIG.DLL
C:\WINDOWS\SYSTEM32\YAYWTRQ.DLL
C:\WINDOWS\SYSTEM32\NNNNMKJ.DLL
C:\WINDOWS\SYSTEM32\BYXXWXY.DLL
C:\WINDOWS\SYSTEM32\SSQPPQP.DLL
C:\WINDOWS\SYSTEM32\LJJGEEE.DLL
C:\WINDOWS\SYSTEM32\AWTTQNO.DLL
C:\WINDOWS\SYSTEM32\CBXXVST.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\EFECB.DLL
C:\WINDOWS\SYSTEM32\EFECB.DLL

Trojan.Vundo/Variant-Installer/A
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
[ZSSnp211] C:\WINDOWS\ZSSNP211.EXE
C:\WINDOWS\ZSSNP211.EXE
[SpywareTerminator] C:\PROGRAM FILES\SPYWARE TERMINATOR\SPYWARETERMINATORSHIELD.EXE
C:\PROGRAM FILES\SPYWARE TERMINATOR\SPYWARETERMINATORSHIELD.EXE
C:\WINDOWS\ZSSNP211 .EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\SUPERANTISPYWARE FREE EDITION.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\SUPERANTISPYWARE\SUPERANTISPYWARE REPAIR.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\SUPERANTISPYWARE\SUPERANTISPYWARE FREE EDITION.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP31\A0024834.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024893.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024894.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024901.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024903.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP33\A0024913.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP33\A0024915.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP34\A0024931.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP34\A0024933.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP34\A0024935.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP35\A0025003.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP35\A0025039.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP35\A0025041.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0025052.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0025054.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0026052.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0026054.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0026056.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029751.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029763.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029770.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029774.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029785.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029789.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029804.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029805.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029813.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029814.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029824.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029826.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029827.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030824.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030826.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030827.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030829.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030845.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030851.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030854.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030865.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030867.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030868.EXE
C:\WINDOWS\Prefetch\ZSSNP211.EXE-07E59168.pf
C:\WINDOWS\Prefetch\ZSSNP211 .EXE-221B8488.pf

Trojan.Vundo/Variant-Installer
[load] C:\WINDOWS\SYSTEM32\EFECB.EXE
C:\WINDOWS\SYSTEM32\EFECB.EXE
[load] C:\WINDOWS\SYSTEM32\EFECB.EXE
C:\WINDOWS\SYSTEM\NADLOCOP.EXE
C:\WINDOWS\ZSSNP211 .EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024896.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024904.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP32\A0024905.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP33\A0024918.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP34\A0024936.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP35\A0025043.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0025057.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0027056.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0027057.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP36\A0027060.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0027067.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0027068.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0027070.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0027071.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0029056.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0029057.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0029058.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP37\A0029060.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029738.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029739.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029742.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029749.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029750.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP40\A0029752.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029761.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029762.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029764.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029772.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029773.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029775.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029787.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029788.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP41\A0029791.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029816.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029828.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030828.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030853.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030856.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0030869.EXE
C:\WINDOWS\Prefetch\NADLOCOP.EXE-0A13412F.pf
C:\WINDOWS\Prefetch\EFECB.EXE-187834EA.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{514A5C49-0C7D-42c3-A71B-38864A269B7A}
HKCR\CLSID\{514A5C49-0C7D-42C3-A71B-38864A269B7A}
HKCR\CLSID\{514A5C49-0C7D-42C3-A71B-38864A269B7A}\InprocServer32
HKCR\CLSID\{514A5C49-0C7D-42C3-A71B-38864A269B7A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMXSVMRY.DLL
HKLM\Software\Classes\CLSID\{5AAF23D8-4489-43D8-A064-319D1254ABCA}
HKCR\CLSID\{5AAF23D8-4489-43D8-A064-319D1254ABCA}
HKCR\CLSID\{5AAF23D8-4489-43D8-A064-319D1254ABCA}\InprocServer32
HKCR\CLSID\{5AAF23D8-4489-43D8-A064-319D1254ABCA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5AAF23D8-4489-43D8-A064-319D1254ABCA}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{5AAF23D8-4489-43D8-A064-319D1254ABCA}
HKCR\CLSID\{514A5C49-0C7D-42C3-A71B-38864A269B7A}
HKCR\CLSID\{5AAF23D8-4489-43D8-A064-319D1254ABCA}

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA9BF989-3E7B-44C7-8763-374267EA1A1E}
HKCR\CLSID\{DA9BF989-3E7B-44C7-8763-374267EA1A1E}
HKCR\CLSID\{DA9BF989-3E7B-44C7-8763-374267EA1A1E}\InprocServer32
HKCR\CLSID\{DA9BF989-3E7B-44C7-8763-374267EA1A1E}\InprocServer32#ThreadingModel

Trojan.Downloader-SVSHost
HKLM\System\ControlSet001\Services\k7h08c9m4w4
C:\WINDOWS\SYSTEM32\SVSHOST.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_k7h08c9m4w4
HKLM\System\ControlSet002\Services\k7h08c9m4w4
HKLM\System\ControlSet002\Enum\Root\LEGACY_k7h08c9m4w4
HKLM\System\CurrentControlSet\Services\k7h08c9m4w4
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_k7h08c9m4w4
C:\WINDOWS\Prefetch\SVSHOST.EXE-2DCA3CE2.pf

Adware.Tracking Cookie
C:\Documents and Settings\alistair\Cookies\alistair@doubleclick[1].txt
C:\Documents and Settings\alistair\Cookies\alistair@chitika[1].txt
C:\Documents and Settings\alistair\Cookies\alistair@84815040[2].txt
C:\Documents and Settings\alistair\Cookies\alistair@server.iad.liveperson[1].txt
C:\Documents and Settings\alistair\Cookies\alistair@adlegend[2].txt
C:\Documents and Settings\alistair\Cookies\alistair@2o7[1].txt
C:\Documents and Settings\alistair\Cookies\alistair@questionmarket[2].txt
C:\Documents and Settings\alistair\Cookies\alistair@statcounter[2].txt
C:\Documents and Settings\alistair\Cookies\alistair@clickbank[2].txt
C:\Documents and Settings\alistair\Cookies\alistair@mediaplex[1].txt
C:\Documents and Settings\alistair\Cookies\alistair@82.98.235[1].txt
C:\Documents and Settings\alistair\Cookies\alistair@1061504103[2].txt
C:\Documents and Settings\alistair\Cookies\alistair@ads.techguy[2].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-527237240-1606980848-839522115-1003\Software\Microsoft\rdfa
C:\WINDOWS\SYSTEM32\MCRH.TMP

Adware.Helper
C:\WINDOWS\SYSTEM\HELPER.EXE
C:\WINDOWS\Prefetch\HELPER.EXE-3ABE3DF0.pf

Adware.Vundo-Variant/PolyMorph-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029817.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029818.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029819.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{792A55B5-C07B-4E74-A5B3-82E36CA07A18}\RP42\A0029820.DLL


hope this all helps!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 23 August 2008 - 06:31 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users