Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • This topic is locked This topic is locked
2 replies to this topic

#1 PavorNocturnus


  • Members
  • 1 posts
  • Local time:04:55 AM

Posted 03 January 2009 - 07:10 AM

Hello, infected with trojan.vundo and malware.trace which is causing very random popups only when im online. Originally infection was about 3 days ago. Used adaware and avg then which got rid of what seemed to be all of the infection at the time. Popups continued rescanned with both again neither found anything. Found Malwarebytes' anit malware online which finds 2 files anytime i run it, removes files but they always return. Malwarebytes is the only program that actually finds anything right now. Ad-aware and AVG don't detect anything when i scan with them. I have scanned with all 3 in safe-mode as well.

DDS (Version 1.1.0) - NTFSx86
Run by Cody at 2:46:50.46 on Sat 01/03/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1481 [GMT -8:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS.3\system32\svchost -k DcomLaunch
C:\WINDOWS.3\System32\svchost.exe -k netsvcs
C:\WINDOWS.3\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cody.YOUR-PCWPUJ7QJP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {65d09062-07f9-4cc8-1594-b342f4030f63}: {36f0304f-243b-4951-8cc4-9f7026090d56} - c:\windows.3\system32\patkds.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows.3\system32\ctfmon.exe
mRun: [USRpdA] c:\windows.3\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows.3\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.3\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware 2007\Ad-Watch2007.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows.3\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows.3\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows.3\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows.3\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows.3\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\cody~1.you\startm~1\programs\startup\deskto~1.lnk - c:\program files\vghd\vghd.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
Trusted Zone: aol.com\free
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll patkds.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.3\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows.3\system32\efcAqrOf

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cody~1.you\applic~1\mozilla\firefox\profiles\c1blm3g3.default\
FF - prefs.js: browser.startup.homepage - hxxp://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=30332793
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll

============= SERVICES / DRIVERS ===============

R0 875raid;875raid;c:\windows.3\system32\drivers\875raid.sys [2003-7-2 274816]
R0 AvgRkx86;avgrkx86.sys;c:\windows.3\system32\drivers\avgrkx86.sys [2009-1-1 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows.3\system32\drivers\avgldx86.sys [2009-1-1 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows.3\system32\drivers\avgmfx86.sys [2009-1-1 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows.3\system32\drivers\avgtdix.sys [2009-1-1 107272]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-1 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-1 298264]
S0 zffh;zffh;c:\windows.3\system32\drivers\gwgpmxw.sys --> c:\windows.3\system32\drivers\gwgpmxw.sys [?]
S0 zmvqtxm;zmvqtxm;c:\windows.3\system32\drivers\vhpslnv.sys --> c:\windows.3\system32\drivers\vhpslnv.sys [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows.3\system32\drivers\NSDriver.sys [2008-4-29 15648]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows.3\system32\drivers\rt2500usb.sys [2008-4-16 140416]
S3 XDva037;XDva037;\??\c:\windows.3\system32\xdva037.sys --> c:\windows.3\system32\XDva037.sys [?]

=============== Created Last 30 ================

2009-01-02 07:45 578,560 ac------ c:\windows.3\system32\dllcache\user32.dll
2009-01-02 07:15 <DIR> --d----- c:\windows.3\ERUNT
2009-01-02 07:14 7,680 a--sh--- c:\windows.3\Thumbs.db
2009-01-01 02:57 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-01 02:02 107,272 a------- c:\windows.3\system32\drivers\avgtdix.sys
2009-01-01 02:02 12,552 a------- c:\windows.3\system32\drivers\avgrkx86.sys
2009-01-01 02:02 10,520 a------- c:\windows.3\system32\avgrsstx.dll
2009-01-01 02:02 <DIR> --d----- c:\windows.3\system32\drivers\Avg
2009-01-01 02:02 324,872 a------- c:\windows.3\system32\drivers\avgldx86.sys
2009-01-01 02:02 <DIR> --d----- c:\program files\AVG
2009-01-01 02:02 <DIR> --d----- c:\docume~1\alluse~1.3\applic~1\avg8
2009-01-01 00:36 0 a------- C:\ntuser.dat
2008-12-31 10:18 <DIR> --d----- c:\docume~1\cody~1.you\applic~1\Malwarebytes
2008-12-31 10:18 15,504 a------- c:\windows.3\system32\drivers\mbam.sys
2008-12-31 10:18 38,496 a------- c:\windows.3\system32\drivers\mbamswissarmy.sys
2008-12-31 10:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 10:18 <DIR> --d----- c:\docume~1\alluse~1.3\applic~1\Malwarebytes
2008-12-31 05:13 40,448 a------- c:\windows.3\system32\k9261108.exe
2008-12-31 05:05 130,560 a------- c:\windows.3\system32\patkds.dll
2008-12-31 05:05 130,560 a------- c:\windows.3\system32\atialmlk.dll

==================== Find3M ====================

2008-12-31 11:44 90,112 a------- c:\windows.3\DUMP6031.tmp
2008-12-03 01:53 152,904 a------- c:\windows.3\system32\vghd.scr
2008-11-10 12:23 243,840 a------- c:\windows.3\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows.3\system32\ZuneBusEnum.exe
2008-11-10 12:09 73,728 a------- c:\windows.3\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows.3\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows.3\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows.3\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows.3\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows.3\system32\ZuneMTPZ.dll
2008-10-23 04:36 286,720 a------- c:\windows.3\system32\gdi32.dll
2008-10-15 17:00 666,112 a------- c:\windows.3\system32\wininet.dll
2008-09-12 15:48 217 a------- c:\program files\INSTALL.LOG

============= FINISH: 2:47:20.29 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:02:55 PM

Posted 05 January 2009 - 05:55 AM

Hello PavorNocturnus and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.


Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:02:55 PM

Posted 03 February 2009 - 05:40 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users