Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having Trouble Removing Vundo


  • This topic is locked This topic is locked
7 replies to this topic

#1 Clouds

Clouds

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 12 April 2007 - 07:23 PM

Father downloaded drivecleaner and now I'm getting a bunch of pop-ups. I ran vundofix and smithfraudfix but when I run hijackthis it seems more suspicious files come up.
________________________________

Logfile of HijackThis v1.99.1
Scan saved at 5:17:31 AM, on 4/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\clouds.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\System32\gebawwt.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp2D.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {b00e7f12-1ebd-4559-8247-c520c0d75777} - C:\WINDOWS\system32\asy250.dll
O2 - BHO: (no name) - {C992BF10-AF88-418B-AB74-2FC7B598FAAF} - C:\WINDOWS\System32\iifcb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\ssqrqn.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://windowsupdate.microsoft.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: asy250 - C:\WINDOWS\SYSTEM32\asy250.dll
O20 - Winlogon Notify: gebawwt - C:\WINDOWS\SYSTEM32\gebawwt.dll
O20 - Winlogon Notify: iifcb - C:\WINDOWS\System32\iifcb.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:15 AM

Posted 13 April 2007 - 04:44 AM

Hello,

C:\clouds.exe

Is it possible this is HijackThis you renamed?

Anyway, I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Then,

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\asy250.dll
  • Copy and paste next in the second field: C:\WINDOWS\SYSTEM32\gebawwt.dll
  • Copy and paste next in the third field: C:\WINDOWS\System32\iifcb.dll
  • Click the Add Files button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\System32\gebawwt.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp2D.tmp.dll
O2 - BHO: (no name) - {b00e7f12-1ebd-4559-8247-c520c0d75777} - C:\WINDOWS\system32\asy250.dll
O2 - BHO: (no name) - {C992BF10-AF88-418B-AB74-2FC7B598FAAF} - C:\WINDOWS\System32\iifcb.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\ssqrqn.dll",realset
O20 - AppInit_DLLs:
O20 - Winlogon Notify: asy250 - C:\WINDOWS\SYSTEM32\asy250.dll
O20 - Winlogon Notify: gebawwt - C:\WINDOWS\SYSTEM32\gebawwt.dll
O20 - Winlogon Notify: iifcb - C:\WINDOWS\System32\iifcb.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
After reboot,

Please download the following file to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe

Run the file. It will open a txtfile.

Post the following logs in your next reply:

* Log from FindAWF
* Log from Vundofix (C:\Vundofix.txt)
* Log from AVG Antispyware you saved previously
* New HijackThislog (made in normal mode)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Clouds

Clouds
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 14 April 2007 - 11:53 PM

Vundo's still on. A pop-up window in AVG Anti-Spyware is telling me gebawwt.dll in particular.
_______________________
Logfile of HijackThis v1.99.1
Scan saved at 9:40:30 AM, on 4/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\clouds.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {20B9E0B1-8760-429F-A030-7210932A4D5B} - C:\WINDOWS\System32\byvtu.dll
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\gebawwt.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\aktgvsui.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://windowsupdate.microsoft.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O20 - Winlogon Notify: byvtu - C:\WINDOWS\System32\byvtu.dll
O20 - Winlogon Notify: gebawwt - C:\WINDOWS\SYSTEM32\gebawwt.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

___________________


VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Scan started at 3:51:16 AM 4/9/2007

Listing files found while scanning....

C:\WINDOWS\System32\tmp1.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\tmp1.tmp.dll
C:\WINDOWS\System32\tmp1.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Scan started at 4:22:57 AM 4/13/2007

Listing files found while scanning....

C:\WINDOWS\System32\opoqr.bak1
C:\WINDOWS\System32\opoqr.ini
C:\WINDOWS\system32\oqfetwci.dll
C:\WINDOWS\System32\rqopo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\opoqr.bak1
C:\WINDOWS\System32\opoqr.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\opoqr.ini
C:\WINDOWS\System32\opoqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqfetwci.dll
C:\WINDOWS\system32\oqfetwci.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\rqopo.dll
C:\WINDOWS\System32\rqopo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Scan started at 12:53:32 AM 4/14/2007

Listing files found while scanning....

C:\WINDOWS\System32\bcfii.bak1
C:\WINDOWS\System32\bcfii.bak2
C:\WINDOWS\System32\bcfii.ini
C:\WINDOWS\System32\iifcb.dll
C:\WINDOWS\system32\isswxaiq.dll
C:\WINDOWS\system32\plavvehx.dll
C:\WINDOWS\system32\sfmhqrxl.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\asy250.dll
C:\WINDOWS\SYSTEM32\asy250.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcfii.bak1
C:\WINDOWS\System32\bcfii.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcfii.bak2
C:\WINDOWS\System32\bcfii.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcfii.ini
C:\WINDOWS\System32\bcfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\iifcb.dll
C:\WINDOWS\System32\iifcb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\isswxaiq.dll
C:\WINDOWS\system32\isswxaiq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\plavvehx.dll
C:\WINDOWS\system32\plavvehx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sfmhqrxl.dll
C:\WINDOWS\system32\sfmhqrxl.dll Has been deleted!

Performing Repairs to the registry.
Done!

___________
Note: I did apply the actions, I just saved before I applied them. By the time it was applied the computer started shutting down.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:13:22 AM 4/14/2007

+ Scan result:



C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8FM7E9QN\bho[1] -> Adware.BHO : No action taken.
C:\WINDOWS\system32\update38336693.exe -> Adware.BHO : No action taken.
C:\backups\backup-20070413-044926-594.dll -> Adware.BHO : No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YDEB0H2V\mm[2].js -> Adware.Chitika : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp13A.tmp.exe -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp2A.tmp.exe -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp4.tmp.exe -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\gebawwt.dll -> Adware.Virtumonde : No action taken.
C:\backups\backup-20070414-022132-300.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\bak\lsasss.exe -> Downloader.Agent.awf : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp11C.tmp.exe -> Downloader.Agent.bjk : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp2C.tmp.exe -> Downloader.Agent.bjk : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp3.tmp.exe -> Downloader.Agent.bjk : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmpA.tmp.exe -> Downloader.Agent.bjk : No action taken.
C:\VundoFix Backups\asy250.dll.bad -> Downloader.ConHook.an : No action taken.
C:\backups\backup-20070413-031926-181.dll -> Downloader.ConHook.an : No action taken.
C:\backups\backup-20070413-032026-146.dll -> Downloader.ConHook.an : No action taken.
C:\backups\backup-20070413-033001-206.dll -> Downloader.ConHook.an : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4LAVC92Z\windm[1] -> Downloader.Small : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4LAVC92Z\windm[2] -> Downloader.Small : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4LAVC92Z\windm[3] -> Downloader.Small : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8FM7E9QN\windm[1] -> Downloader.Small : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I7GNK3OB\windm[1] -> Downloader.Small : No action taken.
C:\Documents and Settings\The Lipio Family\ie_updater.exe -> Downloader.Small : No action taken.
C:\Program Files\Image-Line\FL Studio 6\talio.dll -> Downloader.Small : No action taken.
C:\WINDOWS\system32\update20960606.exe -> Downloader.Small : No action taken.
C:\WINDOWS\system32\update52659692.exe -> Downloader.Small : No action taken.
C:\WINDOWS\system32\update79172274.exe -> Downloader.Small : No action taken.
C:\WINDOWS\system32\update92784527.exe -> Downloader.Small : No action taken.
C:\WINDOWS\system32\update94492146.exe -> Downloader.Small : No action taken.
C:\WINDOWS\system32\lsasss.exe -> Hijacker.Agent.jh : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\bwurkdvd.dll -> Logger.VBStat.h : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\iyboagiy.dll -> Logger.VBStat.h : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\rkottwck.dll -> Logger.VBStat.h : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\vytvtfuo.dll -> Logger.VBStat.h : No action taken.
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8FM7E9QN\packed_installer_cna[1] -> Proxy.Wopla.ag : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8FM7E9QN\packed_installer_cna[2] -> Proxy.Wopla.ag : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8FM7E9QN\packed_installer_cna[3] -> Proxy.Wopla.ag : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8FM7E9QN\packed_installer_cna[4] -> Proxy.Wopla.ag : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I929CBWT\packed_installer_cna[1] -> Proxy.Wopla.ag : No action taken.
C:\WINDOWS\system32\update34216966.exe -> Proxy.Wopla.ag : No action taken.
C:\WINDOWS\system32\update57856840.exe -> Proxy.Wopla.ag : No action taken.
C:\WINDOWS\system32\update82263134.exe -> Proxy.Wopla.ag : No action taken.
C:\WINDOWS\system32\update89089463.exe -> Proxy.Wopla.ag : No action taken.
C:\WINDOWS\system32\update95533796.exe -> Proxy.Wopla.ag : No action taken.
A bunch of tracking cookies I removed them for convience
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4LAVC92Z\google[1] -> Trojan.Agent.aiw : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4LAVC92Z\google[2] -> Trojan.Agent.aiw : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I7GNK3OB\google[1] -> Trojan.Agent.aiw : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I929CBWT\google[1] -> Trojan.Agent.aiw : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I929CBWT\google[2] -> Trojan.Agent.aiw : No action taken.
C:\WINDOWS\system32\update04988792.exe -> Trojan.Agent.aiw : No action taken.
C:\WINDOWS\system32\update11975862.exe -> Trojan.Agent.aiw : No action taken.
C:\WINDOWS\system32\update51334596.exe -> Trojan.Agent.aiw : No action taken.
C:\WINDOWS\system32\update95349334.exe -> Trojan.Agent.aiw : No action taken.
C:\WINDOWS\system32\update95488542.exe -> Trojan.Agent.aiw : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4LAVC92Z\1303[1] -> Trojan.Agent.bou : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I7GNK3OB\1303[1] -> Trojan.Agent.bou : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I929CBWT\1303[1] -> Trojan.Agent.bou : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I929CBWT\1303[2] -> Trojan.Agent.bou : No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I929CBWT\1303[3] -> Trojan.Agent.bou : No action taken.
C:\WINDOWS\system32\update04546852.exe -> Trojan.Agent.bou : No action taken.
C:\WINDOWS\system32\update09869277.exe -> Trojan.Agent.bou : No action taken.
C:\WINDOWS\system32\update12794058.exe -> Trojan.Agent.bou : No action taken.
C:\WINDOWS\system32\update36281340.exe -> Trojan.Agent.bou : No action taken.
C:\WINDOWS\system32\update57730620.exe -> Trojan.Agent.bou : No action taken.
C:\VundoFix Backups\tmp1.tmp.dll.bad -> Trojan.BHO.g : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp1.tmp.exe -> Trojan.BHO.o : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp13F.tmp.exe -> Trojan.BHO.o : No action taken.
C:\Documents and Settings\The Lipio Family\Local Settings\Temp\tmp2D.tmp.exe -> Trojan.BHO.o : No action taken.
C:\WINDOWS\system32\tmp1.tmp.dll -> Trojan.BHO.o : No action taken.
C:\WINDOWS\system32\tmp13F.tmp.dll -> Trojan.BHO.o : No action taken.
C:\WINDOWS\system32\tmp2D.tmp.dll -> Trojan.BHO.o : No action taken.
C:\WINDOWS\system32\tmp4C.tmp.dll -> Trojan.BHO.o : No action taken.
C:\WINDOWS\system32\tmp53.tmp.dll -> Trojan.BHO.o : No action taken.
C:\backups\backup-20070414-022133-893.dll -> Trojan.BHO.o : No action taken.
C:\WINDOWS\system32\wintsvsu.exe -> Trojan.Small : No action taken.


::Report end

___________


Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ADMUNC~1\BAK

02/03/2007 11:04 AM 705,024 AdMunch.exe
1 File(s) 705,024 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DISKEE~1\DISKEE~2\BAK

11/22/2005 04:38 PM 221,184 DkIcon.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/11/2005 10:12 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\BAK

02/15/2007 06:36 PM 177,152 utorrent.exe
1 File(s) 177,152 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\12908~1.500\BAK

10/15/2006 12:52 PM 163,576 GoogleToolbarNotifier.exe
1 File(s) 163,576 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

705024 Feb 3 2007 "C:\Program Files\Ad Muncher\bak\AdMunch.exe"
221184 Nov 22 2005 "C:\Program Files\Diskeeper Corporation\Diskeeper\bak\DkIcon.exe"
49152 May 11 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
177152 Mar 12 2007 "C:\Documents and Settings\The Lipio Family\Desktop\zen\utorrent.exe"
177152 Feb 15 2007 "C:\Documents and Settings\All Users\Start Menu\Programs\bak\utorrent.exe"
52272 Apr 11 2007 "C:\Program Files\Google\googletoolbar3user.exe"
138168 Apr 11 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Apr 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
163576 Oct 15 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe"


end of report

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:15 AM

Posted 15 April 2007 - 02:41 AM

Hi,

You'll have to rerun with AVG Antispyware again, because it didn't delete anything. It says: No actions taken.
You said it shut down then - is this because you were running Vundofix in between as well? Please perform only one scan at a time.

Anyway, we'll have to do this again, but please read my instructions very carefully.. and do everything in the right order!!!!
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, Right click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\gebawwt.dll
  • Copy and paste next in the second field: C:\WINDOWS\System32\byvtu.dll
  • Click the Add Files button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {20B9E0B1-8760-429F-A030-7210932A4D5B} - C:\WINDOWS\System32\byvtu.dll
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\gebawwt.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\aktgvsui.dll
O20 - Winlogon Notify: byvtu - C:\WINDOWS\System32\byvtu.dll
O20 - Winlogon Notify: gebawwt - C:\WINDOWS\SYSTEM32\gebawwt.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Rerun the scan Again with AVG Antispyware and make sure it removes what it found. Save the log.

* I see no antivirus and firewall installed on your system, and I also see that your windows isn't up to date. :thumbsup:

You don't have even ServicePack1 installed! Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems... and that is the reason why you are now infected, because, when your windows was up to date, the securitypatches could prevent this.

Do not update to SP1/SP2 yet, because when malware present, you could have problems.

Install an antivirus and firewall - because I really don't understand why you surf/use your computer while it is unpatched and you didn't even install an Antivirus and Firewall. No wonder your system is so terribly infected!

Avira, AVG OR Avast OR Active Virus Shield (uncheck the Security Toolbar during install)
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Agnitum Outpost Free, ZoneAlarm Free OR Kerio are FREE firewalls.

Understanding and using firewalls

Update your antivirus and let it perform a full scan.
REBOOT afterwards.

Then,

* Open notepad and copy and paste next present in the quotebox in it:

copy /y "C:\Program Files\Ad Muncher\bak\AdMunch.exe" "C:\Program Files\Ad Muncher"
copy /y "C:\Program Files\Diskeeper Corporation\Diskeeper\bak\DkIcon.exe" "C:\Program Files\Diskeeper Corporation\Diskeeper"
copy /y "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\HP\HP Software Update"

Save this as replace.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
(In case you are unsure how to create a bat file, take a look here with screenshots.)
Doubleclick replace.bat now to run it. It will close immediately again.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

and also

* Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog, the contents of C:\vundofix.txt and the log from AVG Antispyware.

you may need more than one reply to post the logs.

Edited by miekiemoes, 15 April 2007 - 02:42 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Clouds

Clouds
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 15 April 2007 - 02:23 PM

I did apply all the actions. I have a bunch of files quarantined in AVG. It's just that I saved the log before I applied them. Also I did run Vundofix and restarted before using AVG.

Do I still need to run AVG?

Thanks so far :thumbsup:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:15 AM

Posted 15 April 2007 - 02:35 PM

Ah, if you saved the log before you applied the quarantine, then there's no need to rescan with it - just proceed with my next steps :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:15 AM

Posted 23 April 2007 - 06:31 AM

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:15 AM

Posted 25 April 2007 - 08:00 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users