Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Winfixer Ad Popup And Trojan.vundo.b Infection

  • Please log in to reply
1 reply to this topic

#1 Bkosher2


  • Members
  • 1 posts
  • Local time:06:45 PM

Posted 27 November 2005 - 01:04 AM

I have had these infections for some time and have tried everything I can think of to remove them with no success. The best I can tell, the pesky file that is causing all the trouble and that I cannot delete is ddaww.dll and is in the Windows System32 folder. if I try to delete the file I get a message that the file is in use. This file triggers my Norton File System Realtime Protection constantly and keeps my computer continually locked up. The only way to get any relief is to disable the Realtime Protection, which only stays off for 20 minute intervals before it automatically turns itself back on. I have located this ddaww.dll in RegEdit but cannot delete it out of there either. I have tried every ad ware and spy ware and virus software I can find including purchasing a couple and nothing worked. Even the small removal tool offered by Norton does not work. The virus kicks in as soon as the system starts up and even before I get to the logon screen. When the logon screen finally comes up, the realtime visus alert is already displaying showing the following:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo.B
File: C:\WINDOWS\system32\ddaww.dll
Location: C:\WINDOWS\system32
Computer: ARK01LT08
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sun Nov 27 00:01:28 2005

Following is the log from HijackThis. Thanks for the help!

StartupList report, 11/26/2005, 11:44:17 PM
StartupList version: 1.52.2
Started from : C:\Virus\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options

Running processes:

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\AOL\1104166892\ee\AOLHostManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1104166892\ee\AOLServiceHost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\common files\aol\1104166892\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1104166892\ee\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe


Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
BlackICE Agent.lnk = ?
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HostManager = C:\Program Files\Common Files\AOL\1104166892\ee\AOLHostManager.exe
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
SandIcon = C:\ImageMate CompactFlash USB\SandIcon.Exe
MedGS = C:\WINDOWS\system32\medgs1.exe
SDTray = "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
tgcmd = "C:\Program Files\Support.com\bin\tgcmd.exe" /server


Autorun entries from Registry:

HP Mobile Printing = C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
CustomHK = C:\WINDOWS\System32\sgenie.exe


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\system32\ddaww.dll - {52B1DFC7-AAFC-4362-B103-868B0683C697}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}


Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[IEPlayInterface Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\iaieplay.dll
CODEBASE = http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll

[Loader Class v2]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Spider80.ocx

[SAXFile FileUpload ActiveX Control]
InProcServer32 = C:\WINDOWS\System32\Softartisans\SAXFile\saaxfile.dll
CODEBASE = https://files.accenture.com/ipfile/activex/saxfile.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

CODEBASE = http://download.microsoft.com/download/0/A...01F/wmvadvd.cab

InProcServer32 = C:\WINDOWS\Downloaded Program Files\IPFileClient.ocx
CODEBASE = https://files.accenture.com/activex/IPFileClient.CAB

[PjAdoInfo3 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pjquery11.ocx
CODEBASE = http://aes.amer.avanade.com/projectserver/...ts/pjclient.cab

[F5 Networks Policy Agent Host Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\f5InspectionHost.dll
CODEBASE = https://connect.avanade.com/vdesk/terminal/...pectionHost.cab

InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebcastInfo.ocx
CODEBASE = https://webcast.accenture.com/newsite/Webca...WebcastInfo.CAB

CODEBASE = http://www.sidestep.com/get/k00719/sb02a.cab

[Housecall ActiveX 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8065.4925925926

[Pj11enuC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Pj11enuC.dll
CODEBASE = http://aes.amer.avanade.com/projectserver/...033/pjcintl.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

[IWinAmpActiveX Class]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.6\AmpX.dll
CODEBASE = http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[TikGames Online Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
CODEBASE = http://zone.msn.com/bingame/gold/default/gf.cab


Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #2: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #8: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 11,267 bytes
Report generated in 0.071 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)



#2 -David-


  • Members
  • 10,603 posts
  • Gender:Male
  • Location:London
  • Local time:01:45 AM

Posted 27 November 2005 - 04:58 AM

Hi and :thumbsup:

You've haven't posted a hijackThis log unfortunatley. Please:

Hi my name is David Posted Image
  • launch Hijack This.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users