Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Variant and/or BHO that can't be removed


  • This topic is locked This topic is locked
2 replies to this topic

#1 weberh

weberh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 30 December 2008 - 01:31 PM

My kids downloaded something evil, and all of the sudden google searches redirect to different sites. Tried the following tools:

AVG
Spybot Search and Destroy
HiJackThis
MalwareBytes AntiMalware
SuperAntiSpyware
etc.

They stopped the redirection, etc., but none of them can delete c:\window\system32\capesnp.dll or the bho registry entries associated with it. I can not edit, delete, or change the permissions or owners on the registry entries or the file regardless of what account I try it from, safe mode, etc.

(O2 - BHO: (no name) - {ADFAD570-A648-46FC-8ADE-0E608F352212} - C:\WINDOWS\system32\capesnp.dll)

Please help!

Thanks,

Hans

DDS.txt log
-------------


DDS (Version 1.1.0) - NTFSx86
Run by Daddy at 12:17:52.87 on Tue 12/30/2008
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cs.unc.edu/~weberh
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=5TFV731&cid=7685&appurl=http%3A%2F%2Fus%2Emcafee%2Ecom%2Fapps%2FAppCommon%2Fupdreg%2Easp%3Fapp%3Dhttp%253A%252F%252Fus%252Emcafee%252Ecom%252Fapps%252Fvso%252Fen%252Dus%252Fredir%252Easp%253Faffid%253D105%252D01%2526installtype%253Dforce%2526dtag%253D5TFV731%2526lpname%253Dvsotrial90%2526langid%253D1%2526systempopup%253Dtrue
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll
BHO: {adfad570-a648-46fc-8ade-0e608f352212} - c:\windows\system32\capesnp.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Auto EPSON Stylus C84 Series on WEBER3] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p38 "auto epson stylus c84 series on weber3" /o17 "\\weber3\EPSONC84" /M "Stylus C84"
mRun: [VirtualDrive] c:\program files\farstone\virtualdrive\vdtask.exe /AutoRestore
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daddy\applic~1\mozilla\firefox\profiles\gf4hzlnb.default\
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\j2re1.4.2_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_11\bin\NPJPI142_11.dll
FF - plugin: c:\program files\java\j2re1.4.2_11\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-30 11:51 24,576 a------- c:\windows\system32\VundoFixSVC.exe
2008-12-30 11:27 <DIR> --d----- C:\VundoFix Backups
2008-12-29 23:48 <DIR> --d----- c:\program files\Lavasoft
2008-12-29 22:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-29 22:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-29 22:57 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-29 22:33 <DIR> --d----- c:\program files\Unlocker
2008-12-29 15:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-29 15:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 15:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 15:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-29 15:06 <DIR> --d----- c:\program files\FileASSASSIN
2008-12-29 14:07 <DIR> a-dshr-- C:\cmdcons
2008-12-29 14:05 161,792 a------- c:\windows\SWREG.exe
2008-12-29 14:05 98,816 a------- c:\windows\sed.exe
2008-12-29 13:23 <DIR> --d----- c:\program files\Trend Micro
2008-12-28 23:11 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-28 23:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-26 02:26 200,819 a------- c:\windows\system32\nvapps.xml
2008-12-26 02:26 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-26 02:25 <DIR> --d----- C:\NVIDIA
2008-12-26 01:59 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-26 01:53 <DIR> --d----- C:\ProgramData
2008-12-26 01:53 1,534 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-19 05:44 95,744 a------- c:\windows\system32\capesnp.dll
2008-12-12 15:11 1,970,176 a------- c:\windows\system32\d3dx9.dll
2008-12-12 15:11 679,936 a------- c:\windows\system32\D3DX81ab.dll
2008-12-10 14:40 3,549,552 a------- c:\temp\procexp.exe
2008-12-07 00:34 644,400 a------- c:\windows\system32\mscomct2.ocx
2008-12-07 00:34 200,704 a------- c:\windows\system32\threed32.ocx
2008-12-07 00:34 <DIR> --d----- c:\program files\FontPage
2008-12-06 21:17 <DIR> --d----- c:\windows\system32\IOSUBSYS

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-23 07:00 3,025,194 a------- c:\windows\system32\PokeMon The Wastelands.scr
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-10-01 20:09 78,739 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2004-07-02 21:31 63,592 a------- c:\docume~1\daddy\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:18:45.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 weberh

weberh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 03 January 2009 - 04:48 AM

Problem solved.


I built a BartPE CD, booted from that, and then used regedit to load the portions of the hive that I needed to modify. Worked like a charm. I still don't understand how the registry entries were set up so that I could not edit the owner, permissions, etc., regardless of what I tried, but at least I was able to get rid of the entries.

I could probably have deleted capesnp.dll while I was running under the BartPE CD as well, but I had already deleted them by running a dos boot cd with ntfs4dos on it.

Thank you for the ideas in various posts, and good luck to everyone who is still waging their battles against malware.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:07 AM

Posted 03 January 2009 - 07:50 PM

thanks for telling us your fix.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users