Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cannot remove Vundo virus in System32 folder

  • Please log in to reply
2 replies to this topic

#1 natalieszymanski


  • Members
  • 4 posts
  • Gender:Female
  • Location:Florida
  • Local time:09:37 AM

Posted 20 January 2009 - 12:28 AM


About a month ago my computer was infected. I had constant pop-ups and the control panel no longer allowed me to control my internet options, thus allowing EVERYTHING to get onto my computer. Since then I have taken quite a few steps to fix the problem.

I restored to an earlier date. Ran my Trend Micro program and cleaned.

I ran a SuperSpyWare scan and cleaned.

I purchased Security Solutions and cleaned.

I downloaded and ran Malwarebytes' anti malware and cleaned.

Next I tried ComboFix and cleaned.

I raised the security levels on Mozilla (the only browser I use) and I began deleting my cookies daily.

I have read countless forums in the last 2 months. Yes, I do have the inetcpl.cpl in my Windows folder but no I cannot open it.

Currently the machine runs quite slowly (especially on the internet) and when I try to open my "internet options" in the Control Panel it flashes/blinks a window but never opens. (From my "investigations" on the other forums pages I am guessing a virus is causing this and keeping security setting low) Also my Trend Micro repeatedly tells me I have Vundo viruses in my System32 folder but none of the software has/can delete it.

I found a program called RegCur which claims that if I pay $30 it will remove the over 1,000 problems in my system32 folder...I feel so lost now; I have no idea if this is a good purchase. Any advice?

I downloaded HiJackThis in hopes that it could make it easier for someone to help. (I hope I have done it properly.) My scan is pasted below. I would really appreciate any help ya'll can offer. I am in the middle of writing a thesis and I desperately need this laptop to get me through the next year.

Thank you in advance for your help!!!

DDS (Ver_09-01-18.01) - NTFSx86
Run by Nads at 0:22:56.43 on Tue 01/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.151 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Security Solutions Antivirus\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Nads\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nads\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\nads\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ClamWin] "c:\program files\security solutions antivirus\bin\ClamTray.exe" --logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nads\applic~1\mozilla\firefox\profiles\kh6sssew.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\nads\application data\mozilla\firefox\profiles\kh6sssew.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\nads\local settings\application data\google\update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-21 24652]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-22 29744]

=============== Created Last 30 ================

2009-01-19 22:38 <DIR> a-dshr-- C:\cmdcons
2009-01-19 22:35 161,792 a------- c:\windows\SWREG.exe
2009-01-19 22:35 98,816 a------- c:\windows\sed.exe
2009-01-19 21:20 <DIR> --d----- c:\docume~1\nads\applic~1\Malwarebytes
2009-01-19 21:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-19 21:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 21:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 21:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 22:33 <DIR> --d----- c:\program files\iPowerHour
2008-12-29 20:17 <DIR> --d----- c:\program files\common files\Logitech
2008-12-29 00:15 66,048 a------- c:\windows\ieResetIcons.exe
2008-12-28 14:51 490,008 a----r-- c:\windows\system32\LVUI2.dll
2008-12-28 14:50 127,034 -----r-- c:\windows\bwUnin-
2008-12-22 09:54 <DIR> --d----- c:\program files\iTunes
2008-12-22 09:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 13:45 <DIR> --d----- c:\program files\common files\Software Update Utility
2008-12-21 13:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-12-21 13:44 <DIR> --d----- c:\program files\AIM6

==================== Find3M ====================

2009-01-18 15:19 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-18 15:19 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-01-15 23:03 127,883 a--sh--- c:\windows\system32\fasihebu.dll
2009-01-15 11:03 127,814 a--sh--- c:\windows\system32\buzawoje.dll
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\SET41.tmp
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\SET59.tmp
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 08:29 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-26 17:42 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2008-11-26 17:42 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2008-11-26 17:39 1,195,384 a------- c:\windows\system32\drivers\VsapiNT.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-08-03 20:12 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2007-01-08 22:48 88 ---shr-- c:\windows\system32\53EDAD6131.sys
2007-01-08 22:48 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 0:23:22.04 ===============

Attached Files

BC AdBot (Login to Remove)


#2 natalieszymanski

  • Topic Starter

  • Members
  • 4 posts
  • Gender:Female
  • Location:Florida
  • Local time:09:37 AM

Posted 20 January 2009 - 01:41 PM


I just wanted to add an update. I have read all the intro material for the website (sorry for the first improper post) and re-searched the forums for my topic, and like the pinned posted suggests, I want to be as clear as possible.

I just wanted to add that for the last 3 days I have scanned for spyware and malware everyday, and it continues to find things. So, needless to say, something keeps letting it on my computer. I have also noticed in my Trend Micro scan log that in addition to the Vundo in my system 32 folder (all of which end in .dll.tmp like many other posters have noted ) I also have problems in my C://System Volume Information..........dll. Some of the virus were those quarantined by other programs which I have promptly erased.

Not sure if that will further help someone understand the problem, but there it is. Again, I really appreciate any guidance. This site has proved immensely helpful in the past when I searched as a guest, and I feel like someone in this community has the answer.

Thanks again in advance!

Natalie Szymanski

#3 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:04:37 PM

Posted 29 January 2009 - 05:24 PM

Hello Natalie and welcome to Bleeping Computer,

Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users