I've got the Vundo virus (slow computer and pop-ups etc). I've read quite a few threads on here. I've run combofix and below is my log. Can anyone suggest what I do next?
Cheers (in advance)
------------------------------------------------------------------------------------
ComboFix 09-05-19.04 - Gareth Roberts 19/05/2009 22:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.515 [GMT 1:00]
Running from: c:\documents and settings\Gareth Roberts\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Gareth Roberts\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Gareth Roberts\Local Settings\Temporary Internet Files\ipasowahah.scr
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthgtdoyknorulhrspssympmetkqlmvonvp.sys
c:\windows\system32\iwihihad.ini
c:\windows\system32\ovfsthfbxbwhpjnbenfvpyxylhlydebwupdlhh.dll
c:\windows\system32\ovfsthirmsunvhmcsojcfoypykmqtumvutoryl.dll
c:\windows\system32\ovfsthkgktqgwcvxnvlabsemrwrbvptbqgsrwk.dat
c:\windows\system32\ovfsthoqjbfboukcqwcxtfvrmpmiiatakdmakq.dat
c:\windows\system32\ovfsthsfscjybckfujytrlbodoijaadkjeeewj.dll
c:\windows\Temp\2829490424.exe
c:\windows\Temp\2901521674.exe
c:\windows\Temp\3483865424.exe
.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.
2009-05-19 20:05 . 2009-05-19 20:05 32768 ----a-w c:\windows\system32\service-466.exe
2009-05-19 19:33 . 2009-05-19 19:32 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-19 19:27 . 2009-05-19 19:27 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-05-19 19:21 . 2009-05-19 19:21 -------- d-----w C:\VundoFix Backups
2009-05-19 19:03 . 2009-05-19 19:03 812344 ----a-w C:\HJTInstall.exe
2009-05-18 21:00 . 2009-05-18 21:00 -------- d--h--w c:\windows\PIF
2009-05-16 07:45 . 2008-12-11 07:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-16 07:45 . 2009-03-06 15:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-16 07:45 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-16 07:44 . 2009-05-16 07:45 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-16 07:44 . 2008-12-10 11:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-16 07:44 . 2009-05-16 07:44 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 19:32 . 2005-08-10 01:22 -------- d-----w c:\program files\Java
2009-05-19 19:16 . 2008-08-30 08:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 19:12 . 2005-12-07 20:34 -------- d-----w c:\program files\Google
2009-05-19 19:11 . 2008-06-28 09:05 -------- d-----w c:\program files\Spyware Doctor
2009-05-17 17:09 . 2005-08-10 01:36 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-17 17:09 . 2008-03-23 08:18 -------- d-----w c:\program files\Norton Security Scan
2009-05-01 21:29 . 2005-12-03 08:10 26064 ----a-w c:\documents and settings\Gareth Roberts\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 14:32 . 2008-08-30 08:14 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-08-30 08:14 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2004-08-10 11:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 11:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 11:51 78336 ----a-w c:\windows\system32\ieencode.dll
2008-06-28 08:54 . 2008-06-28 08:54 18080 ----a-w c:\program files\Common Files\idycimywe.lib
2008-06-28 08:54 . 2008-06-28 08:54 13234 ----a-w c:\program files\Common Files\soma.db
2008-06-28 08:54 . 2008-06-28 08:54 13097 ----a-w c:\program files\Common Files\weqe.dll
2008-06-28 08:54 . 2008-06-28 08:54 11291 ----a-w c:\program files\Common Files\aqonipomyh.db
2008-05-24 15:42 . 2008-05-22 20:26 72 --sh--w c:\windows\S92382626.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-19 148888]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-30 185896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2005-8-10 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-10 24576]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-21 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/05/2009 08:45 130424]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [28/06/2008 10:06 348752]
S2 gupdate1c98f99751aa5fe;Google Update Service (gupdate1c98f99751aa5fe);c:\program files\Google\Update\GoogleUpdate.exe [15/02/2009 19:15 133104]
S3 AliveEraseAutoComplete;Alive Internet Eraser Service;c:\program files\AliveComputing\Internet Eraser\InternetEraserService.exe --> c:\program files\AliveComputing\Internet Eraser\InternetEraserService.exe [?]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [28/06/2008 10:03 29744]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-05-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 18:15]
2009-05-17 c:\windows\Tasks\Norton Security Scan for Gareth Roberts.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]
2009-05-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-08-10 11:24]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Reg - (no file)
HKLM-Run-SpeedTouch USB Diagnostics - c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\fvfl2.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3483865424.exe
HKU-Default-Run-autochk - c:\docume~1\NETWOR~1\protect.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?rls=ig
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
FF - ProfilePath - c:\documents and settings\Gareth Roberts\Application Data\Mozilla\Firefox\Profiles\jf88tmp6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 22:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-05-19 22:14
ComboFix-quarantined-files.txt 2009-05-19 21:13
Pre-Run: 23,030,525,952 bytes free
Post-Run: 27,822,608,384 bytes free
171 --- E O F --- 2009-05-12 21:21
Edited by awaydays, 19 May 2009 - 04:28 PM.