Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Vundo/Fax Alert

  • This topic is locked This topic is locked
2 replies to this topic

#1 Basic5


  • Members
  • 2 posts
  • Local time:11:51 AM

Posted 13 January 2009 - 12:20 PM

**** I mean Fake Alert ---- not fax alert... sorry****

I have tried scanning this computer (in safe mode and normal) with SuperAntiSpyWare, Symantec, AVG, Kaspersky, and SpyBot - I can not get this virus off my computer. I can see a few spots in the registry where I know the virus is located, but I wanted to make sure I was not missing any before I deleted anything. I have backed up the entire registry.

DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 9:07:17.85 on Tue 01/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.998 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [tunopusomi] Rundll32.exe "c:\windows\system32\tuyihule.dll",s
mRun: [CPM0f5da510] Rundll32.exe "c:\windows\system32\wumupara.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\howivuti.dll,c:\windows\system32\wumupara.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\howivuti.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-8 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\naveng.sys [2009-1-8 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\navex15.sys [2009-1-8 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-9-25 22136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec antivirus\smclu\setup\smcinst.exe --> c:\program files\symantec antivirus\smclu\setup\smcinst.exe [?]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2009-01-13 08:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-12 09:48 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-12 08:52 <DIR> --d----- C:\VundoFix Backups
2009-01-12 08:47 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-01-11 04:46 2,713 ---sh--- c:\windows\system32\huradite.exe
2009-01-09 16:45 1,237,222 ---sh--- c:\windows\system32\utafezil.ini
2009-01-09 14:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-09 14:17 <DIR> --d----- c:\program files\Trend Micro
2009-01-08 12:11 <DIR> --d----- c:\program files\FolderSize
2009-01-08 11:09 <DIR> --d----- C:\SDFix
2009-01-08 10:25 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-01-08 09:04 1,238,918 ---sh--- c:\windows\system32\olukonir.ini
2009-01-07 07:51 1,307,062 ---sh--- c:\windows\system32\agawiloh.ini
2009-01-06 19:55 1,307,062 ---sh--- c:\windows\system32\akinitil.ini
2009-01-06 16:25 <DIR> --d----- c:\windows\pss
2009-01-06 09:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 09:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 09:22 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-05 20:08 1,702,140 ---sh--- c:\windows\system32\ivafowar.ini
2009-01-05 08:05 1,702,130 ---sh--- c:\windows\system32\apirozuf.ini
2009-01-04 20:01 1,702,104 ---sh--- c:\windows\system32\ahikipan.ini
2009-01-04 07:59 1,702,104 ---sh--- c:\windows\system32\obekofum.ini
2009-01-03 19:55 1,702,104 ---sh--- c:\windows\system32\edokejoj.ini
2009-01-03 06:49 2,713 ---sh--- c:\windows\system32\vamohato.exe
2009-01-01 00:44 2,713 ---sh--- c:\windows\system32\yubunuzo.exe
2008-12-31 06:42 2,713 ---sh--- c:\windows\system32\togajatu.exe
2008-12-30 12:46 1,702,104 ---sh--- c:\windows\system32\inigesod.ini
2008-12-27 23:39 1,702,097 ---sh--- c:\windows\system32\oponeroh.ini
2008-12-27 11:39 1,700,908 ---sh--- c:\windows\system32\ekejodij.ini
2008-12-26 23:39 1,692,001 ---sh--- c:\windows\system32\arebiyan.ini
2008-12-26 11:39 162 a------- c:\windows\wininit.ini
2008-12-26 11:39 1,692,001 ---sh--- c:\windows\system32\epepurig.ini
2008-12-25 23:39 1,610,020 ---sh--- c:\windows\system32\usewepal.ini
2008-12-25 11:39 1,610,020 ---sh--- c:\windows\system32\agisijob.ini
2008-12-24 23:39 1,610,020 ---sh--- c:\windows\system32\oturujud.ini
2008-12-24 11:39 1,610,020 ---sh--- c:\windows\system32\ikazarer.ini
2008-12-24 01:47 1,610,020 ---sh--- c:\windows\system32\uyepehov.ini
2008-12-23 10:52 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-23 10:52 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-23 10:52 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-23 10:52 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-22 15:20 1,610,020 ---sh--- c:\windows\system32\uzukoboh.ini
2008-12-21 15:44 0 a------- c:\windows\system32\fuEIH2nA.exe.a_a
2008-12-21 15:30 0 a------- c:\windows\system32\XX0eqrio.exe.a_a
2008-12-16 22:16 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-01-03 18:48 67,878 a--sh--- c:\windows\system32\parajami.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-08 18:15 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-04 10:30 88,898,722 a------- C:\regbackup110408.reg
2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-09-23 10:38 38,912 a--sh--- c:\windows\system32\kenamezi.dll
2008-09-30 11:40 41,984 a--sh--- c:\windows\system32\loyiyuhe.dll

============= FINISH: 9:08:01.87 ===============

Attached Files

Edited by Basic5, 13 January 2009 - 12:33 PM.

BC AdBot (Login to Remove)


#2 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:03:51 AM

Posted 14 January 2009 - 04:04 AM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:03:51 AM

Posted 21 January 2009 - 03:49 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users