Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.H Help


  • Please log in to reply
10 replies to this topic

#1 Domo!

Domo!

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 19 April 2009 - 08:39 PM

Hi I'm new to both advance virus recovery and forum post but I hope I can thoroughly explain my predicament as well as everyone can understand it. I've done things like this before with my computer but none this bad, and I honestly have run out of ideas. After reading your forums and looking for answers I figured I'd join and ask directly. I really hope I can be help here or at least go in the right direction and in advance i appreciate any help i can get. Anyway I noticed in the middle of the week that I had contracted a virus on my computer when McAfee kept asking permission for programs I know I don't have, access to the internet I blocked all of them and when I figured I have the time will investigate. I first check with my PC Tool Spyware Doctor and AVG 8.0 (both free versions) and then back to McAfee. I checked PC Tools and the report that was given was this.

4/19/2009 5:46:25 AM:250 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32, (Default)

4/19/2009 5:46:25 AM:250 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32, ThreadingModel

4/19/2009 5:46:25 AM:250 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32

4/19/2009 5:46:25 AM:265 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

4/19/2009 5:46:25 AM:468 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler, {EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

4/19/2009 5:46:27 AM:250 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, SSODL

Usually I use PC Tools to just delete the registry values that have gone wrong and then scan again to see if I was successful. After the second scan I realized that the files were back.

I then tried AVG and this was the report I got:

"Scan ""Scan whole computer"" was finished."
"Infections";"10";"10";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Saturday, April 18, 2009, 8:47:18 PM"
"Scan finished:";"Sunday, April 19, 2009, 12:57:16 AM (4 hour(s) 9 minute(s) 58 second(s))"
"Total object scanned:";"847230"

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\Anton\Local Settings\Temp\1051078726.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\Documents and Settings\Anton\Local Settings\Temp\147041660.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\Documents and Settings\Anton\Local Settings\Temp\1610835258.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\Documents and Settings\Anton\Local Settings\Temp\1913324364.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\Documents and Settings\Anton\Local Settings\Temp\2292612146.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\Documents and Settings\Anton\Local Settings\Temp\4116863600.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\WINDOWS\instsp2.exe";"Trojan horse Downloader.Generic8.AGXP";"Moved to Virus Vault"
"C:\WINDOWS\SYSTEM32\ak1.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\WINDOWS\SYSTEM32\sajijade.dll";"Trojan horse Downloader.Generic8.ABWN";"Moved to Virus Vault"
"C:\WINDOWS\Temp\sjgh4kdg4rg4.exe";"Virus found Win32/Heur";"Moved to Virus Vault"

After AVG Ran I figured I'd go to McAfee to clear up any leftovers and here is what I found. (McAfee won't let me cut and paste but here is my transcript from the log file.)


Date\Time: Reported By: Detection Name: Status:
4/19/2009 10:54:14 AM Quick Scan Vundo.gen.ab (Trojan) Quarantined

File: c:\windows\system32\relipasi.dll
Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windoes\AppInit_DLLs
Registry:AppInit_DLLs
File: C:\WINDOWS\SYSTEM32\RELIPASI.DLL

The program then states says it has quarentined three of the files and the final file will be taken care of after a reboot and prompts me to restart now or later. I chose now and i am then looking at a blue screen and when I turn off the PC manually restarting it and when the program tries to commence the second scan an error message occurs stating :

“McAfee VirusScan – On Demand Scan has encountered a problem and needs to close. We are sorry for the inconvenience. It then asks me to “ Plesae tell Microsoft about this problem” The error message reads as.

szAppName: mcods.exe szAppVer: 13.3.127.0 szmodName: mvsscan.dll
szModVer: 13.3.130.0 offset: 00019fc0

After losing faith in my software i went to the internet for help and I stumbled upon MalwareBytes and Vundofix. After running Malwarebytes the first time I received this message:

Malwarebytes' Anti-Malware 1.36
Database version: 2008
Windows 5.1.2600 Service Pack 2

4/19/2009 6:57:38 AM
mbam-log-2009-04-19 (06-57-38).txt

Scan type: Quick Scan
Objects scanned: 85674
Time elapsed: 19 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2bda7e08-9be0-4865-892c-436be2e40729} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2bda7e08-9be0-4865-892c-436be2e40729} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hawamobepa (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SSODL (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm83356f16 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\80065c8a (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Anton\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Anton\Local Settings\Temp\rasesnet.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\puwareda.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\relereni.dll (Trojan.Agent) -> Delete on reboot.

This was good in that i found out that my other programs were missing alot of files and viruses. I then decided to run the program again to make sure it was clean and the same files kept appearing even after having Malwarebytes said they were deleted:

Malwarebytes' Anti-Malware 1.36
Database version: 2008
Windows 5.1.2600 Service Pack 2

4/19/2009 1:13:29 PM
mbam-log-2009-04-19 (13-13-29).txt

Scan type: Quick Scan
Objects scanned: 85448
Time elapsed: 10 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2bda7e08-9be0-4865-892c-436be2e40729} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2bda7e08-9be0-4865-892c-436be2e40729} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hawamobepa (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I ran the program again and again but to no avail as the files kept appearing again and again. I did some more research and found RegAssassin and gave it a try. I copy and pasted each registry string Malwarebytes showed me and I was told they were deleted only to try Malwarebytes again to see that they did not go anywhere. I even manually went into the registry and did it and it had the same result. I think did some more reading and tried to access the program as the admin (even though I am the admin) and I needed a password. I then went into safe mode and into the admin account and created a password to only try again receiving the message:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

So at this point I'm all out of ideas and was hoping that some people mind be able to shed some light on my problem and help with this. I'm really sorry the post is so long but I wanted to make sure that I came across clearly so I can get the help I need. I thank anyone in advance for any tips that may help me.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:03 PM

Posted 19 April 2009 - 08:52 PM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

after a reboot into normal mode

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here
Chewy

No. Try not. Do... or do not. There is no try.

#3 Domo!

Domo!
  • Topic Starter

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 19 April 2009 - 09:49 PM

Thanks for the help, i was wonder though. I went through some of the forums and learned about hijack this and dds files. Do you need me to post those right now or is the information I have sufficient. Thanks again for the help, extremely grateful.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:03 PM

Posted 20 April 2009 - 12:15 AM

No if needed we will request it thanks. Proceed with DaChews instruction.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Domo!

Domo!
  • Topic Starter

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 20 April 2009 - 07:27 AM

I did what DaChew requested but I encountered a new problem. I used the ATF cLeaner and then moved onto the SuperAntiSpyware in safe mode. I scanned in safe mode as the admin to make sure it was checking everything and then I rebooted and went to the regular start up page. I looked for the log and it was not found so I went back to safe mode to get a log as the admin. When I entered the safemode login it would freez up when I went to enter the admin password. I tried to do a "switch user account" in my own account but no luck. After I kept trying to restart and using F8 (I accidently pressed F6 once) I was eventually met with a blue screen saying:

UNMOUNTABLE_BOOT_VOLUME

STOP: 0x000000ED (0xc0000006) (0x00000000) (0x00000000)

I've now tried logging in safe mode, last good configuration, and to start windows normally.

I know I did something to disrupt it because all the instructions you gave me were working and I was ready to post the logs as soon as I got them. I'm real sorry about this. Am I able to be saved anywhere here?

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:03 PM

Posted 20 April 2009 - 10:51 AM

I don't think you did anything wrong except get infected with a very nasty suite of malware, I have googled these clues for
over an hour

Several searches led me to unfixable problems, a few to virut, which is terminal.

We might identify the infections better with a bootcd but I am afraid the end result will be the same, you will need to reload your computer, being very careful to not reinfect it with any data saved during th infection.
Chewy

No. Try not. Do... or do not. There is no try.

#7 Domo!

Domo!
  • Topic Starter

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 20 April 2009 - 11:10 AM

Thanks for all of the help (seriosly). Between my lst post and this one I have looked into the nmountable_boot_Volume and went here:

http://support.microsoft.com/kb/555302

Looking for support and am now waiting for the recovery console to finish. Hopefully I can get Windows running again and get you the log files that you requested earlier. If not then I'll have to investigate the alternatives you have posted. Thanks again for the help.

#8 Domo!

Domo!
  • Topic Starter

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 20 April 2009 - 11:39 AM

Hey DaChew, I got your logs for you. The XP Recovery worked and windows is running again. Here they go:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/20/2009 at 01:47 AM

Application Version : 4.26.1000

Core Rules Database Version : 3843
Trace Rules Database Version: 1798

Scan type : Complete Scan
Total Scan Time : 01:42:31

Memory items scanned : 385
Memory threats detected : 1
Registry items scanned : 8358
Registry threats detected : 10
File items scanned : 33291
File threats detected : 21

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\RELIPASI.DLL
C:\WINDOWS\SYSTEM32\RELIPASI.DLL

Rootkit.Agent/Gen-Rustock
HKLM\system\controlset002\services\ovfsthylvdjtublrpxnppjnmefyypqubkyfktk
C:\WINDOWS\SYSTEM32\DRIVERS\OVFSTHYOYONVKFNITSOAKJYGJRNTYJNKKDDVBU.SYS

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.ecoretrack[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@shopica[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@redirectclicks[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@yeprevenue[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.shopica[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.techguy[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
C:\Documents and Settings\Anton\Cookies\anton@revsci[2].txt
C:\Documents and Settings\Anton\Cookies\anton@208.122.40[2].txt
C:\Documents and Settings\Anton\Cookies\anton@ads.techguy[1].txt
C:\Documents and Settings\Anton\Cookies\anton@www.findstuff[1].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\80064E04
HKLM\Software\Microsoft\80064E04#80064e04
HKLM\Software\Microsoft\80064E04#rid
HKLM\Software\Microsoft\80064E04#aid
HKLM\Software\Microsoft\80064E04#Version
HKLM\Software\Microsoft\80064E04#8006e384
HKLM\Software\Microsoft\80064E04#80068a61

Trojan.Downloader-Gen/Temp
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\WINDOWS\TEMP\hpo2gduc4f.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\WINDOWS\TEMP\hpo2gduc4f.exe ]

Trojan.Unclassified
C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOUNT.TXT


And now the Process Log:

Process PID CPU Description Company Name
System Idle Process 0 87.69
Interrupts n/a Hardware Interrupts
DPCs n/a 3.03 Deferred Procedure Calls
System 4
SMSS.EXE 664 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 744 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 768 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 812 1.54 Services and Controller app Microsoft Corporation
SVCHOST.EXE 1044 Generic Host Process for Win32 Services Microsoft Corporation
mcagent.exe 2432 McAfee Integrated Security Platform McAfee, Inc.
ehmsas.exe 2484 Media Center Media Status Aggregator Service Microsoft Corporation
WkDStore.exe 4236 Microsoft® Works Data Store Microsoft® Corporation
iexplore.exe 4608 Internet Explorer Microsoft Corporation
SVCHOST.EXE 1152 Generic Host Process for Win32 Services Microsoft Corporation
MsMpEng.exe 1188 Service Executable Microsoft Corporation
SVCHOST.EXE 1232 1.54 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 1404 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 1584 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1796 Spooler SubSystem App Microsoft Corporation
AOLacsd.exe 1892 AOL Connectivity Service America Online, Inc.
AdskScSrv.exe 1904 System Level Service Utility Autodesk
AluSchedulerSvc.exe 1920 Automatic LiveUpdate Scheduler Service Symantec Corporation
avgwdsvc.exe 2016 1.54 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 1832 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
avgnsx.exe 2056 AVG Network scanner Service AVG Technologies CZ, s.r.o.
ehrecvr.exe 2040 Media Center Receiver Service Microsoft Corporation
ehSched.exe 200 Media Center Scheduler Service Microsoft Corporation
SVCHOST.EXE 372 Generic Host Process for Win32 Services Microsoft Corporation
LSSrvc.exe 476 LightScribe Service Hewlett-Packard Company
mcmscsvc.exe 576 McAfee Services McAfee, Inc.
McNASvc.exe 680 7.69 McAfee Network Agent McAfee, Inc.
McProxy.exe 712 McAfee Proxy Service Module McAfee, Inc.
raysat_3dsmax8server.exe 1132
nvsvc32.exe 1432 NVIDIA Driver Helper Service, Version 66.84 NVIDIA Corporation
HPZipm12.exe 1448 PML Driver HP
pctsAuxs.exe 2584 PC Tools Auxiliary Service PC Tools
pctsSvc.exe 2648 PC Tools Security Service PC Tools
pctsTray.exe 2800 PC Tools Tray Application PC Tools
SVCHOST.EXE 2788 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 2852 Generic Host Process for Win32 Services Microsoft Corporation
symlcsvc.exe 2892
Pen_Tablet.exe 2908 Tablet Service for consumer driver Wacom Technology, Corp.
Pen_TabletUser.exe 2968 Tablet user module for consumer driver Wacom Technology, Corp.
Pen_Tablet.exe 3008 Tablet Service for consumer driver Wacom Technology, Corp.
avgemc.exe 2952 AVG E-Mail Scanner AVG Technologies CZ, s.r.o.
avgcsrvx.exe 3220 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.
mcrdsvc.exe 3236 MCRD Device Service Microsoft Corporation
wmpnetwk.exe 3376 Windows Media Player Network Sharing Service Microsoft Corporation
DLLHOST.EXE 3268 COM Surrogate Microsoft Corporation
mcsysmon.exe 584 McAfee SystemGuards Service McAfee, Inc.
ALG.EXE 2768 Application Layer Gateway Service Microsoft Corporation
MpfSrv.exe 3500 McAfee Personal Firewall Service McAfee, Inc.
Mcshield.exe 460 On-Access Scanner service McAfee, Inc.
LSASS.EXE 824 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1600 Windows Explorer Microsoft Corporation
ehtray.exe 1340 Media Center Tray Applet Microsoft Corporation
jusched.exe 2412 Java™ Platform SE binary Sun Microsystems, Inc.
DVDLauncher.exe 3604 CyberLink PowerCinema Resident Program CyberLink Corp.
MSASCui.exe 2520 Windows Defender User Interface Microsoft Corporation
WINWORD.EXE 2552 Microsoft Word Microsoft Corporation
avgcsrvx.exe 3496 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.
avgtray.exe 1620 AVG Tray Monitor AVG Technologies CZ, s.r.o.
DSAgnt.exe 2544 Dell Support Gteko Ltd.
CTFMON.EXE 2480 CTF Loader Microsoft Corporation
procexp.exe 4564 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
Ymsgr_tray.exe 4472 Yahoo! Messenger Tray Yahoo! Inc.

#9 Domo!

Domo!
  • Topic Starter

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 April 2009 - 09:22 AM

Hi again. While I waited for a reply I recently ran both Malwarebytes and SuperAntiSpyware Scanner and when they found errors and both asked to reboot (I ran them and rebooted at the same time) the Vundo.H and the restrictions on my automatic updates were gone. i then updated to service pack 3 and updated all of my virus signatures and ran the scan again. I'm gone now but later I'll see if anyhing came up. Thanks for all of the help so far.

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:03 PM

Posted 21 April 2009 - 09:35 AM

Good luck, with three AV's showing and using those registry tools, you'll need all the luck you can get.

McAfee and Norton's both have special uninstallers
Chewy

No. Try not. Do... or do not. There is no try.

#11 Domo!

Domo!
  • Topic Starter

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 April 2009 - 11:36 AM

Yes, I fear I may dig my own computers grave with this but some progress was nice to have for a bit. That was something I was curious about too. I know there is no way to be totally (100%) protected but ever since I got into this jam I've wondered what is the best way to make sure I don't dig to deeper a hole for myself when dealing with protection and detection. I've heard that it is very unwise to have multiple anti virus programs installed as well as have them running with each other but this situation has proven that I'm probably not running the best software that I can. I've bought things like McAfee and have AVG and PC Tools running because they both feature different trusted talents (such as Firewall settings, antivirus, and virus removal).

Let's say we are successful in cleaning the computer, what precautions and programs do I need installed to not find myself trapped in this situation again? If you don't mind my asking. (If it is okay I still plan to post my findings with this situation here just to be safe.) Thanks again for all of the help and advice. I would've been stuck with ads and weird sites popping up were it not for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users