Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Vundo even in safe mode


  • Please log in to reply

#1
wdmfs

wdmfs

    New Member

  • Member
  • Pip
  • 5 posts
Hi everybody and thanks for help in advance,

I have a computer here with a Trojan detected by a virus scanner as "TR/Vundo.Gen". The infected file (c:\windows\system32\xxyaw.dll) is re-creating after deleting. I disabled system restore and scanned already, but no success yet.

I did not connect the computer to the Network, because i have different (clean) computers here and i transfer removal tools via a read-only USB stick.

please give me a helping hand for removal..
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi wdmfs and Welcome to GeekstoGo!


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#3
wdmfs

wdmfs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Cretemonster :whistling:

Here's what happened: I did run the VundoFix and it detected some things, here's the log:


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 09:02:28 22.9.2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\mljiigh.dll
C:\Programme\Gemeinsame Dateien\{90998D6D-03EA-1031-1114-001012000031}\services.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\mljiigh.dll
C:\WINDOWS\SYSTEM32\mljiigh.dll Has been deleted!

Attempting to delete C:\Programme\Gemeinsame Dateien\{90998D6D-03EA-1031-1114-001012000031}\services.dll
C:\Programme\Gemeinsame Dateien\{90998D6D-03EA-1031-1114-001012000031}\services.dll Has been deleted!

Performing Repairs to the registry.
Done!

After this, i booted normally, but the scanner still found this TR/Vundo.Gen Trojan, even in save mode. (I heared it may use rootkit methods / changes some parts of the operating system?.. anyway..)

I did VundoFix again, but it found nothing. Then I downloaded HiJackThis and created a log. Here it is:


Logfile of HijackThis v1.99.1
Scan saved at 11:04:51, on 22.9.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://easy-search.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe

It is a friends computer, so i did not check for Windows updates yet. A question about PayPal Donation: I am really willing to donate somethign if we are successful together, Question is just where - hijackThis, GeeksToGo .. ?
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Certain variants of vundo do actually use Rootkits to hide thier precense,they also have built code into the infection to detect when HijacKThis and several other applications are running.


First things first,go to safe mode and Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://easy-search.biz/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Next,be sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp


Search for and Delete if found

C:\WINDOWS\System32\vbsys2.dll<-- File

Go ahead and Restart back into Normal Mode.


Lets do this,go to the HJT folder and locate HijackThis.exe

Right Click HijackThis.exe and select Rename.

Rename it to foo.exe for lack of a better name.

Once renamed,double click foo.exe launch HijackThis.

Do a System Scan and Save a logfile.


Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt.

Post this log in your next reply together with a new hijackthis log.
  • 0

#5
wdmfs

wdmfs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello again.. here's the hiJachThis logfile after your described action:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:43, on 25.9.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\hjt\foo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D84996E-3DAF-4499-BA44-B6C46E03C7DB} - C:\WINDOWS\System32\xxyaw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Programme\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AntiSpyWare RealTimeGuard] C:\Programme\SimonTools\AntiSpyWare\AntiSpyPW.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O20 - Winlogon Notify: mljiigh - C:\WINDOWS\
O20 - Winlogon Notify: winqje32 - winqje32.dll (file missing)
O20 - Winlogon Notify: xxyaw - C:\WINDOWS\System32\xxyaw.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe

and here's the ComboFix log after your described action. Virus is still present, unfortunately.

David - 06-09-25 10:52:26,72 Service Pack 1
ComboFix 06.09.25 - Running from: "C:\hjt"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


Granting sedebugprivilege to Administratoren ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Programme\Gemeinsame Dateien\{90998D6D-03EA-1031-1114-001012000031}


((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))


2006-09-21 08:57 57,384 --a------ C:\WINDOWS\SYSTEM32\avsda.dll
2006-09-20 18:40 744,377 ---hs---- C:\WINDOWS\SYSTEM32\wayxx.bak1
2006-09-20 18:40 577,588 --------- C:\WINDOWS\SYSTEM32\xxyaw.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-25 11:04 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-09-21 15:04 -------- d-------- C:\Programme\Trend Micro
2006-09-21 08:57 -------- d-------- C:\Programme\AntiVir PersonalEdition Classic
2006-09-19 12:29 -------- d-------- C:\Programme\PDAmill
2006-09-19 12:26 -------- d-------- C:\Programme\Gemeinsame Dateien\ACD Systems
2006-09-10 10:28 -------- d-------- C:\Dokumente und Einstellungen\David.MEINZ\Anwendungsdaten\ACD Systems
2006-09-08 21:05 10368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys
2006-09-07 20:06 -------- d-------- C:\Programme\%EXTRACT_DIR%
2006-09-04 18:49 -------- d-------- C:\Programme\Lavasoft
2006-09-04 18:49 -------- d-------- C:\Dokumente und Einstellungen\David.MEINZ\Anwendungsdaten\Lavasoft
2006-09-03 15:38 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-08-29 20:56 12464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys
2006-08-28 19:11 -------- d-------- C:\Programme\Coolspot
2006-08-26 15:51 -------- d-------- C:\Programme\Crazy_Cong_2
2006-08-26 15:50 162432 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ithsgt.sys
2006-08-26 15:50 12032 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lilsgt.sys
2006-08-21 21:42 -------- d-------- C:\Programme\EA GAMES
2006-08-21 21:12 -------- d-------- C:\Dokumente und Einstellungen\David.MEINZ\Anwendungsdaten\Help


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"RealPlayer"="\"C:\\Programme\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"AntiSpyWare RealTimeGuard"="C:\\Programme\\SimonTools\\AntiSpyWare\\AntiSpyPW.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ShStatEXE"="\"C:\\Programme\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Programme\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"Network Associates Error Reporting Service"="\"C:\\Programme\\Gemeinsame Dateien\\Network Associates\\TalkBack\\TBMon.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"OfficeScanNT Monitor"="\"C:\\Programme\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"SystemCheck2"="{54645654-2225-4455-44A1-9F4543D34545}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljiigh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winqje32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyaw

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Mon 25.09.2006 11:17:27.81
ComboFix.txt
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I need you to disable all real time protection,especially Tea Timer.

Here is a link that will assist you
http://wiki.castleco...toring_Programs


Restart in safe mode and be sure Windows is Showing Hidden Files and Folders.
http://www.bleepingc...al62.html#winxp

Locate and Delete the folder listed below please

C:\Programme\Gemeinsame Dateien\{90998D6D-03EA-1031-1114-001012000031}


Run VundoFix from safe mode,if it doesnt flag any files when its done scanning,follow the directions below to add files for deletion.

When it reboots the machine,let it reboot back into normal mode please and be sure the same 3 files are added for deletion.

  • Double-click VundoFix.exe to run it again.
  • Click the Scan for Vundo button.
  • Once it's done scanning,Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 3 entries below into the top 3 boxes
    • C:\WINDOWS\SYSTEM32\xxyaw.dll
    • C:\WINDOWS\SYSTEM32\wayxx.bak1
    • C:\WINDOWS\system32\wayxx.*
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot,allow the computer to reboot and VundoFix to load.

DO NOT click "Scan for Vundo" again.

Just add the very same files as before and Click Remove Vundo.
  • 0

#7
wdmfs

wdmfs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Cretemonster,

Booting some times to normal mode took extremely long, so don't be upset that i removed the files in a different way: I booted with a CD and used the Console / delete statement. Than i rebooted in save mode and found no virus anymore, also ComboFix and VundoFix didn't tell anything anymore.

Thanks for the help and enjoy the little paypal donation i just did.
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Nice job there!! :whistling:

I dont know many folks that can whip out thier CD and use the recovery console in such a way.

If you dont mind,Id like to double check some things,I believe we have a little cleaning with HijackThis to do.

Scan fresh with HijackThis and post that log.


This one online scan should suffice for us as well.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
wdmfs

wdmfs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok I try to do so later, but as i told - it's a friends computer and he has it back already. When I visit him i try to give you the requested information.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP