my computer contracted a variant of Vundo on Saturday, and I was able to stop the pop-ups yesterday afternoon after using a handful of different tools (Malwarebytes' Anti-Malware seemed to finally do the job).
however, using Sysinternals Process Explorer, I discovered that something on my computer was causing an instance of rundll32.exe to run as a child process of one of the valid svchost.exe processes (the one that governs the COM+ and DHCP Client services, among other things). this rundll32.exe instance is attempting to load a file in my SYSTEM32 directory called "qoMcaxYq.dll", a name which screams "VIRUS" to me. fortunately, this file doesn't seem to exist (Windows Explorer is set to show hidden files and it's just not there), but the process remains open until I kill it. the process also seems to be re-activated every hour (exactly on the hour) while the computer is running, accompanied by the Windows Critical Stop sound. (the sound was my initial clue that something was still wrong; it was happening when no windows were open. I'd never had this happen before.) the command line listed for the process is as follows: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\qoMcaxYq.dll",AddRefActCtx
I've also experienced a major decrease in speed when browsing the web since the Vundo incident. most pages are loading quite slowly for a cable broadband connection. I've tried reinstalling Firefox but it doesn't seem to have helped.
thanks in advance to anyone who can help me out! logs below.
VundoFix completed its scan and reported that nothing was found. (I don't think it created a log.)
VirtumundoBeGone reported the same, as in the log below:
[01/13/2009, 15:37:18] - VirtumundoBeGone v1.5 ( "F:\JiNxXs Den\Apps-Games Zips\VirtumundoBeGone.exe" ) [01/13/2009, 15:37:22] - Detected System Information: [01/13/2009, 15:37:22] - Windows Version: 5.1.2600, Service Pack 2 [01/13/2009, 15:37:22] - Current Username: Mike (Admin) [01/13/2009, 15:37:22] - Windows is in NORMAL mode. [01/13/2009, 15:37:22] - Searching for Browser Helper Objects: [01/13/2009, 15:37:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [01/13/2009, 15:37:22] - BHO 2: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} () [01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference. [01/13/2009, 15:37:22] - No filename found. Continuing. [01/13/2009, 15:37:22] - BHO 3: {4437d3c5-3f8c-4808-bc51-3ee5664de070} () [01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference. [01/13/2009, 15:37:22] - No filename found. Continuing. [01/13/2009, 15:37:22] - BHO 4: {4544E79F-8E43-4128-A470-A07F180D749F} () [01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference. [01/13/2009, 15:37:22] - No filename found. Continuing. [01/13/2009, 15:37:22] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection) [01/13/2009, 15:37:22] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} () [01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference. [01/13/2009, 15:37:22] - No filename found. Continuing. [01/13/2009, 15:37:22] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper) [01/13/2009, 15:37:22] - BHO 8: {BDF3E430-B101-42AD-A544-FADC6B084872} () [01/13/2009, 15:37:22] - WARNING: BHO has no default name. Checking for Winlogon reference. [01/13/2009, 15:37:22] - No filename found. Continuing. [01/13/2009, 15:37:22] - Finished Searching Browser Helper Objects [01/13/2009, 15:37:22] - Finishing up... [01/13/2009, 15:37:22] - Nothing found! Exiting...
finally, HiJackThis came back with the following log. the rogue rundll32 instance is in the list of processes.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:11:24 PM, on 1/13/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\Grxp4exe.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\svchost.exe F:\JiNxXs Den\Apps-Games Zips\Process Explorer\procexp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O1 - Hosts: 68.44.244.240 idenupdate.motorola.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file) O2 - BHO: (no name) - {4437d3c5-3f8c-4808-bc51-3ee5664de070} - (no file) O2 - BHO: (no name) - {4544E79F-8E43-4128-A470-A07F180D749F} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150339680\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AtomTime98 v2.1.lnk = C:\Program Files\AtomTime\ATOMTIME.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Run VNC Server.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{04D1D0BB-9425-4DC7-97F9-B0DAE453DF4C}: NameServer = 68.87.64.146,68.87.75.194 O17 - HKLM\System\CS1\Services\Tcpip\..\{04D1D0BB-9425-4DC7-97F9-B0DAE453DF4C}: NameServer = 68.87.64.146,68.87.75.194 O17 - HKLM\System\CS2\Services\Tcpip\..\{04D1D0BB-9425-4DC7-97F9-B0DAE453DF4C}: NameServer = 68.87.64.146,68.87.75.194 O20 - AppInit_DLLs: zdovpl.dll O23 - Service: Client - Unknown owner - C:\WINDOWS\Registration\CRMLog\service.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Windows Mapper Configuration - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing) O23 - Service: Windows Printer Activity - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 8171 bytes