VUNDU creates Hell

Hey,

I have spent a good couple days getting whatever I can get my hand on to clean this trojan and all the rest it gets.

I started with Mcafee , Spybot , Pc doctor , Malwarebytes Anti Malware, Smithfraudfix

The Malware and Pc doctor seemed to do the trick. Rest cleaned up as well.

I couldnt complain much but my PC doctor shows a threat of intrution every second from Trojan Vundu.

The Malwarebytes cleaned up everything except there is 1 infection it states every clean up and its in a Registry Value.

The last 3 scans gave the same outcome - Pls help. This Vundu is still in my pc cause it sometimes freezes.

Malwarebytes' Anti-Malware 1.33
Database version: 1658
Windows 5.1.2600 Service Pack 3

1/16/2009 11:29:10 AM
mbam-log-2009-01-16 (11-29-10).txt

Scan type: Quick Scan
Objects scanned: 63078
Time elapsed: 14 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diyyfayadgaah (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Since the above log is a MalwareBytes log, I am moving this topic from the HiJack This forum to the Am I Infected forum. ~ OB

The Log now shows 1 more registry that was involved by Trojan Virtumonde ( Vundu )

every scan gets it there... even when it says its deleted and quarantined.

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 5.1.2600 Service Pack 3

1/17/2009 3:37:08 PM
mbam-log-2009-01-17 (15-37-08).txt

Scan type: Quick Scan
Objects scanned: 62744
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diyyfayadgaah (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello and welcome. Please run these and think we'll have you clean.
Run from your regular user account:

Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now run SAS:
Please download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Now run MBam again like this.
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.

Edited by boopme, 18 January 2009 - 05:34 PM.

Hey, thanks for the information, The Superantispyware found more than what I had previously found on my scans. After doing theabove in safe mode and running Malware Anti Malware after reboot I have found the same 2 infections like the previous scan. My Pcdoctor also shows in its scan the Elevated threat of Trojan Virtumonde.


This is the log from SuperAntispyware -

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/20/2009 at 09:31 AM

Application Version : 4.25.1012

Core Rules Database Version : 3717
Trace Rules Database Version: 1691

Scan type : Complete Scan
Total Scan Time : 01:30:14

Memory items scanned : 312
Memory threats detected : 4
Registry items scanned : 7085
Registry threats detected : 30
File items scanned : 24190
File threats detected : 4

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\PUNZCV.DLL
C:\WINDOWS\SYSTEM32\PUNZCV.DLL
C:\WINDOWS\SYSTEM32\RCZBQP.DLL
C:\WINDOWS\SYSTEM32\RCZBQP.DLL
C:\WINDOWS\SYSTEM32\DJUFTT.DLL
C:\WINDOWS\SYSTEM32\DJUFTT.DLL
C:\WINDOWS\SYSTEM32\BCOJAQ.DLL
C:\WINDOWS\SYSTEM32\BCOJAQ.DLL
HKLM\Software\Classes\CLSID\{20a0af78-0d35-4f86-89fd-9bdeb97ec237}
HKCR\CLSID\{20A0AF78-0D35-4F86-89FD-9BDEB97EC237}
HKCR\CLSID\{20A0AF78-0D35-4F86-89FD-9BDEB97EC237}\InprocServer32
HKCR\CLSID\{20A0AF78-0D35-4F86-89FD-9BDEB97EC237}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{464770b7-acad-42a3-aa13-26a1b583115b}
HKCR\CLSID\{464770B7-ACAD-42A3-AA13-26A1B583115B}
HKCR\CLSID\{464770B7-ACAD-42A3-AA13-26A1B583115B}\InprocServer32
HKCR\CLSID\{464770B7-ACAD-42A3-AA13-26A1B583115B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{694aa130-0862-4655-82e6-8c66e0a42d96}
HKCR\CLSID\{694AA130-0862-4655-82E6-8C66E0A42D96}
HKCR\CLSID\{694AA130-0862-4655-82E6-8C66E0A42D96}\InprocServer32
HKCR\CLSID\{694AA130-0862-4655-82E6-8C66E0A42D96}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{eeadc601-ec05-4578-b70c-b38f6c106d9a}
HKCR\CLSID\{EEADC601-EC05-4578-B70C-B38F6C106D9A}
HKCR\CLSID\{EEADC601-EC05-4578-B70C-B38F6C106D9A}\InprocServer32
HKCR\CLSID\{EEADC601-EC05-4578-B70C-B38F6C106D9A}\InprocServer32#ThreadingModel
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}
HKU\S-1-5-21-2702860542-362460839-2924089733-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20A0AF78-0D35-4F86-89FD-9BDEB97EC237}
HKU\S-1-5-21-2702860542-362460839-2924089733-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEADC601-EC05-4578-B70C-B38F6C106D9A}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}

Trojan.Unclassified/PotPWS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}

Adware.SpeedRunner
HKU\S-1-5-21-2702860542-362460839-2924089733-1005\Software\Microsoft\Windows\CurrentVersion\Run#SfKg6wIP [ C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Windows\nelrud.exe ]

Rogue.Component/Trace
HKLM\Software\Microsoft\286A0556
HKLM\Software\Microsoft\286A0556#286a0556
HKLM\Software\Microsoft\286A0556#Version
HKLM\Software\Microsoft\286A0556#286aa8d6
HKLM\Software\Microsoft\286A0556#286ac133
HKU\S-1-5-21-2702860542-362460839-2924089733-1005\Software\Microsoft\FIAS4018

Adware.Prun
HKU\S-1-5-21-2702860542-362460839-2924089733-1005\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ "C:\WINDOWS\system32\prunnet.exe" ]


Log from Mawarebytes Antimalware
Malwarebytes' Anti-Malware 1.33
Database version: 1665
Windows 5.1.2600 Service Pack 3

1/20/2009 8:02:55 PM
mbam-log-2009-01-20 (20-02-55).txt

Scan type: Quick Scan
Objects scanned: 59826
Time elapsed: 19 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diyyfayadgaah (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi, it may take several scans with Mbam to still clear it,it's a stubborn malware.

Also run the analyzer for Smitfraudfix,perhaps it will show something.
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks again, since Jan 15th I probably have run atleast 30 seperate scans of all the spyware and antivirus on the pc... It seems to return after every restart.

What I get on my screen after a clean up on a restart is - "registry recovery was performed successfully so the removed registry was recovered. I wonder if after the scans which clean the registry - is there a way to prevent this registry recovery from working and reverting back to whatever was altered before the scan.

Will send you the log of Smithfraud

SmitFraudFix v2.391

Scan done at 23:05:55.70, Wed 01/21/2009
Run from C:\Documents and Settings\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 205.171.2.56
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D32B4C6F-F58F-4E5E-8C47-8E1F941364C8}: DhcpNameServer=205.171.2.56 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D32B4C6F-F58F-4E5E-8C47-8E1F941364C8}: DhcpNameServer=205.171.2.56 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D32B4C6F-F58F-4E5E-8C47-8E1F941364C8}: DhcpNameServer=205.171.2.56 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.171.2.56 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=205.171.2.56 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=205.171.2.56 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

My Mcafee Antivirus scan I performed today - ( keep finding more stuff )

1/22/2009 07:05:21 Engine version =5300.2777
1/22/2009 07:05:21 AntiVirus DAT version =5501.0000
1/22/2009 07:05:21 Number of detection signatures in EXTRA.DAT =None
1/22/2009 07:05:21 Names of detection signatures in EXTRA.DAT =None
1/22/2009 07:05:10 Scan Started SUNSHINE\ On-Demand Scan
1/22/2009 07:19:16 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP522\A0070716.ini Vundo!grb(Virus)
1/22/2009 07:19:37 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP526\A0071005.ini Vundo!grb(Virus)
1/22/2009 07:21:03 Deleted C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP529\A0073501.DLL Vundo(Trojan)
1/22/2009 07:21:05 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP529\A0073501.dll Vundo(Trojan)
1/22/2009 07:21:09 Deleted C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP529\A0073502.DLL Vundo(Trojan)
1/22/2009 07:21:09 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP529\A0073502.dll Vundo(Trojan)
1/22/2009 07:21:09 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP529\A0073504.ini Vundo!grb(Virus)
1/22/2009 07:24:03 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077681.ini Vundo!grb(Virus)
1/22/2009 07:24:03 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077682.ini Vundo!grb(Virus)
1/22/2009 07:24:04 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077683.ini Vundo!grb(Virus)
1/22/2009 07:24:05 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077684.ini Vundo!grb(Virus)
1/22/2009 07:24:05 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077685.ini Vundo!grb(Virus)
1/22/2009 07:24:05 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077686.ini Vundo!grb(Virus)
1/22/2009 07:24:05 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077687.ini Vundo!grb(Virus)
1/22/2009 07:24:05 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP536\A0077688.ini Vundo!grb(Virus)
1/22/2009 07:24:14 Deleted C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP538\A0078693.DLL Vundo(Trojan)
1/22/2009 07:24:14 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP538\A0078693.dll Vundo(Trojan)
1/22/2009 07:24:48 Deleted C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP543\A0092270.EXE Generic.dx(Trojan)
1/22/2009 07:24:49 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP543\A0092270.exe Generic.dx(Trojan)
1/22/2009 07:24:49 Deleted c:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP543\A0092271.ini Vundo!grb(Virus)
1/22/2009 07:50:53 Deleted (Clean failed because the detection isn't cleanable) c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M29VC1DP\ActiveX[1].htm\00000081.js JS/Shellcode.gen(Trojan)
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Scan Summary
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Processes scanned : 147
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Processes detected : 0
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Processes cleaned : 0
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Boot sectors scanned : 1
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Boot sectors detected: 0
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Boot sectors cleaned : 0
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Files scanned : 72122
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Files with detections: 17
1/22/2009 07:57:27 Scan Summary SUNSHINE\ File detections : 21
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Files cleaned : 0
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Files deleted : 17
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Files not scanned : 37
1/22/2009 07:57:27 Scan Summary SUNSHINE\ Run time : 0:52:17
1/22/2009 07:57:27 Scan Complete SUNSHINE\ On-Demand Scan

Hello we have made good progress. Those you found there are all being kept in the SYstem Restore and we will get them all at the end.

Now run Part 2,Cleaning.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


NOW... Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.

This is the log for smithfraud fix that came up-

SmitFraudFix v2.391

Scan done at 3:23:55.90, Sun 01/25/2009
Run from C:\Documents and Settings\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D32B4C6F-F58F-4E5E-8C47-8E1F941364C8}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D32B4C6F-F58F-4E5E-8C47-8E1F941364C8}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D32B4C6F-F58F-4E5E-8C47-8E1F941364C8}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

After the Smith Fraud fix - I did the MBAM Scan and it still resulted in thoes 2 files -


Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.1.2600 Service Pack 3

1/25/2009 7:50:55 AM
mbam-log-2009-01-25 (03-50-55).txt

Scan type: Quick Scan
Objects scanned: 59827
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diyyfayadgaah (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Man we sure got a stubborn one,. I think SDfix will help.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Double click SDFix.exe and it will extract the files to %systemdrive%
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Hey there,

I tried to download this file but as soon I save it and its almost done I get a message from Mcafee that it detects a Trojan " Generic.dx with this file SDFIX.EXE and Mcafee deletes it. Is this file infected with a Trojan ?


1/25/2009 12:53:18 PM Deleted C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUMENTS AND SETTINGS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\16ZOGGUI\SDFIX[1].EXE Generic.dx (Trojan)

1/25/2009 12:53:23 PM Deleted (Clean failed) C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\16ZOGGUI\SDFix[1].exe\CATCHME.EXE Generic.dx (Trojan)

1/25/2009 12:54:00 PM Deleted C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUMENTS AND SETTINGS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\M241UUWL\SDFIX[1].EXE Generic.dx (Trojan)

1/25/2009 12:54:05 PM Deleted (Clean failed) C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\M241UUWL\SDFix[1].exe\CATCHME.EXE Generic.dx (Trojan)

1/25/2009 12:56:24 PM Deleted C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUMENTS AND SETTINGS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\16ZOGGUI\SDFIX[1].EXE Generic.dx (Trojan)

1/25/2009 12:56:29 PM Deleted (Clean failed) C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\16ZOGGUI\SDFix[1].exe\CATCHME.EXE Generic.dx (Trojan)

1/25/2009 12:58:28 PM Deleted C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUMENTS AND SETTINGS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\89F09I6P\SDFIX[1].EXE Generic.dx (Trojan)

1/25/2009 12:58:33 PM Deleted (Clean failed) C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\89F09I6P\SDFix[1].exe\CATCHME.EXE Generic.dx (Trojan)

Hi no definately NOT infected. It's just your AV doing it's job and rejecting a program that is going inside the PC.. I gave you the older speech in the newer one we added disable AV's.

Here's the new one
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
• When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
• If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
• Please copy and paste the contents of Report.txt in your next reply.
• Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 27 January 2009 - 10:34 AM.