Vundo Infection possilby corrupting registry

#1 gadgetamor


Posted 08 October 2009 - 09:29 PM

Hi. I'm using Windows XP home Edition on a HP Pavillion. A few days ago my computer randomly started the rebooting process while browsing the internet, however was unable to complete the restart. The system boots until the Windows graphic with the processing bar at the bottom appears and then immediately restarts. After leaving it alone for a while, I tried again with the same results. Pressing F8, I tried to run in safe mode but the same thing happens. I pressed F8 and stopped the automatic restart and was given the error: IRLQ_NOT_LESS_OR_EQUAL.

It is impossible for me to boot my computer under any method (safe mode, last good configuration, etc.) except in debugging mode. The computer runs as normal in this mode except that it randomly freezes, making me restart again in debugging mode. Browsing the internet to find the solution to my problem I kept getting pop-ups, so I ran symantec to see if an infection was causing this. Symantec found several Vundo infections, but says that it is unable to remove them. Trying to do so manually is also unsuccessful.

Since this started I moved personal files such as music and pictures to another harddrive in attempt to save them if I have to upgrade my windows. I've also downloaded Windows Defender, Spyware Doctor, and PC Pitstop in effort to fix this problem.

Since then, when browsing the internet, some sites randomly redirect and I am still having numerous pop-ups. I don't know if the infection is completely to blame for my booting problem, but I'd like to get it removed before tackling the problem with my registry.

The following is my DDS.txt log and attached are the other text document of the scans I performed:

DDS (Ver_09-09-29.01) - NTFSx86
Run by HP_Owner at 21:17:37.51 on Thu 10/08/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.38 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\My Documents\Downloads\RootRepeal.exe
C:\Documents and Settings\HP_Owner\My Documents\Downloads\dds.pif

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {02f52b7d-d072-4086-95a1-8a442baf7b5f} - c:\windows\system32\fcccdCsP.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [{1A-A8-89-9A-DW}] c:\windows\system32\pinz1\cegmgr76.exe DWram
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bahotakuz] Rundll32.exe "c:\windows\system32\gufomafe.dll",a
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize3\Reminder-Optimize3.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255048529390
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255049312187
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: wskgol.dll yikiduta.dll c:\windows\system32\gufomafe.dll
SSODL: howavadiv - {7117324f-6c60-4b19-9df9-1d3841220209} - c:\windows\system32\gufomafe.dll
STS: jugezatag: {7117324f-6c60-4b19-9df9-1d3841220209} - c:\windows\system32\gufomafe.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli panidoti.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\cu7gy9zh.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?sourceid=navclient-ff&ie=UTF-8&rlz=1R0GGGL_en&hl=en
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-8 130936]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 DbgSvc;Debug Diagnostic Service;c:\program files\debugdiag\DbgSvc.exe [2007-1-16 316256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-19 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 inic1622;inic1622;c:\windows\system32\drivers\inic162x.sys --> c:\windows\system32\drivers\inic162x.sys [?]
S1 fltmgrr;fltmgrr;c:\windows\system32\drivers\fltmgrr.sys --> c:\windows\system32\drivers\fltmgrr.sys [?]
S2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-8-25 256096]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-8 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-10-8 1095560]
S4 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-8-25 540776]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-10-8 77312]

=============== Created Last 30 ================

2009-10-08 20:58 0 a------- c:\documents and settings\hp_owner\settings.dat
2009-10-08 20:52 <DIR> --d-h--- c:\windows\PIF
2009-10-08 20:44 <DIR> --d----- c:\program files\Trend Micro
2009-10-08 20:05 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-10-08 17:45 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-10-08 17:43 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-10-08 17:42 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-10-08 17:42 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-08 17:41 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-10-08 17:41 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-08 17:41 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-08 17:41 <DIR> --d----- c:\docume~1\hp_owner\applic~1\PC Tools
2009-10-08 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-08 17:41 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-10-08 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-10-08 17:40 <DIR> --d----- c:\program files\NortonInstaller
2009-10-08 17:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-10-08 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-10-08 13:43 <DIR> --d----- c:\program files\PCPitstop
2009-10-08 13:37 <DIR> --d----- c:\program files\DebugDiag
2009-10-07 22:02 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-10-04 18:26 <DIR> --d----- c:\program files\iPod
2009-10-04 18:26 <DIR> --d----- c:\program files\iTunes
2009-10-04 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-04 18:17 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-10-04 16:23 <DIR> --d----- c:\program files\Bonjour
2009-10-04 16:16 2,065,696 a------- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2008-02-22 23:17 246 ac------ c:\program files\common files\qufax
2007-08-25 15:11 299,753 ac------ c:\documents and settings\hp_owner\perf5.dat
2007-08-25 15:10 3,532 ac------ c:\documents and settings\hp_owner\perfh4.dat
2007-02-08 17:17 490 ac------ c:\documents and settings\hp_owner\win32.dll
2007-02-08 17:17 176 ac------ c:\documents and settings\hp_owner\winnt32.dll
2007-01-21 02:21 87,608 ac------ c:\docume~1\hp_owner\applic~1\ezpinst.exe
2007-01-21 02:21 47,360 ac------ c:\docume~1\hp_owner\applic~1\pcouffin.sys
2009-07-06 20:37 51,712 a--sh--- c:\windows\system32\banesija.dll
2009-07-08 09:31 37,888 a--sh--- c:\windows\system32\dalusulo.dll
2009-07-08 09:31 1,051,171 a--sh--- c:\windows\system32\fubupetu.exe
2009-07-05 08:37 37,888 a--sh--- c:\windows\system32\fuyisajo.dll
2009-07-05 20:37 36,864 a--sh--- c:\windows\system32\genajiwe.dll
2009-07-05 20:37 1,047,587 a--sh--- c:\windows\system32\gibegili.exe
2009-07-07 09:30 88,576 a--sh--- c:\windows\system32\gufomafe.dll
2009-07-06 08:37 36,864 a--sh--- c:\windows\system32\hiwazedo.dll
2009-07-06 08:37 1,047,587 a--sh--- c:\windows\system32\jodenosi.exe
2009-07-05 08:37 26,624 a--sh--- c:\windows\system32\kepikemi.dll
2009-07-06 20:37 38,400 a--sh--- c:\windows\system32\kibemole.dll
2009-07-06 20:37 88,064 a--sh--- c:\windows\system32\litijaro.dll
2009-07-08 09:31 88,576 a--sh--- c:\windows\system32\momifigo.dll
2009-07-06 20:37 51,712 a--sh--- c:\windows\system32\panidoti.dll
2009-07-07 09:30 1,050,147 a--sh--- c:\windows\system32\rukezagu.exe
2009-07-06 08:37 88,576 a--sh--- c:\windows\system32\sajifamu.dll
2009-07-06 08:37 52,224 a--sh--- c:\windows\system32\tifuyelo.dll
2009-07-07 21:31 1,050,659 a--sh--- c:\windows\system32\vetuyija.exe
2009-07-05 20:37 88,576 a--sh--- c:\windows\system32\voridako.dll
2009-07-06 20:37 51,712 a--sh--- c:\windows\system32\wukojohe.dll
2009-07-07 21:31 88,576 a--sh--- c:\windows\system32\yeyozoda.dll
2009-07-07 09:30 37,376 a--sh--- c:\windows\system32\yidopamo.dll
2009-07-07 21:31 37,888 a--sh--- c:\windows\system32\zazuporo.dll
2009-07-05 20:37 51,712 a--sh--- c:\windows\system32\zomibole.dll
2008-09-03 18:50 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 21:19:23.92 ===============

Thanks for any help you can provide.

#2 gadgetamor

Posted 15 October 2009 - 10:50 PM

My computer now seems to be cured. The infection I had morphed into the Security Tools virus that's discussed elsewhere on this site and followed the directions there to get rid of it. Strangely, I couldn't get the MalwareBytes program to run, so I ran ComboFix as suggested by this thread and it fixed everything wrong with my computer. All viruses are gone according to the several scans I've done and it now boots normally without any registry errors. I believe this thread can be closed.

#3 m0le


Posted 23 October 2009 - 07:27 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
