I downloaded VundoFix and did a scan and it found 9 files, but when I clicked to remove them the cursor just turned into the loading cursor and it never did anything, I waited over 15 mins and nothing happened. I also tried VirtumundoBeGone in safe mode and it couldn't find anything.
The problems I have now is explorer.exe restarting randomly when I transfer files, view files or load a page on the internet. Also firefox will randomly stop loading pages, and I have to restart it. The computer also seems to be running very slow.
I followed all the steps in the stickied topic and have the logs from the programs:
Malwarebytes' Anti-Malware 1.18
Database version: 887
11:58:14 AM 6/24/2008
mbam-log-6-24-2008 (11-58-14).txt
Scan type: Quick Scan
Objects scanned: 34717
Time elapsed: 7 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Windows\System32\cglxdwwt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\tuvTMCTj.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\opnliGvs.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c07bbe66-c92c-4932-a8a9-ccbdce62b5a6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c07bbe66-c92c-4932-a8a9-ccbdce62b5a6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5f11d5d5-3fb2-4add-84ad-d69bc9a5d312} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f11d5d5-3fb2-4add-84ad-d69bc9a5d312} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fc9f6033 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5f11d5d5-3fb2-4add-84ad-d69bc9a5d312} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMffac53af (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvtmctj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvtmctj -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\cejneqxt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\txqenjec.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\cglxdwwt.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\twwdxlgc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\khfGwxYr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rYxwGfhk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rYxwGfhk.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ljJcbxXQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\QXxbcJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\QXxbcJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\tuvTMCTj.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\jTCMTvut.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jTCMTvut.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\opnliGvs.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\khfFYRJc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ljjgGywX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\lhwhogdu.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 06/24/2008 at 01:59 PM
Application Version : 3.6.1000
Core Rules Database Version : 3489
Trace Rules Database Version: 1480
Scan type : Complete Scan
Total Scan Time : 01:50:52
Memory items scanned : 547
Memory threats detected : 0
Registry items scanned : 7024
Registry threats detected : 0
File items scanned : 39285
File threats detected : 5
Adware.Vundo Variant
DKMFPLWG.DLL
FIMUFPJJ.DLL
FQMJYQCJ.DLL
RWJKXUFB.DLL
TCVNIWGI.DLL
----------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:18 PM, on 6/24/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\user1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\user1\Desktop\Programs\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: {8642abd0-26e1-9aba-2084-908ac273fd30} - {03df372c-a809-4802-aba9-1e620dba2468} - C:\Windows\system32\ccbylegj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: uwyxuuqu.dll sddptxcr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7393 bytes
----------------------------------------------------------------------------------------------------------------
After I ran all the removal programs I scanned the computer with VundoFix again and it found these files:
C:\Windows\System32\NCTAudioCDGrabber2.dll
C:\Windows\System32\NCTAudioFile2.dll
C:\Windows\System32\NCTAudioPlayer2.dll
C:\Windows\System32\NCTAudioRecorder2.dll
C:\Windows\System32\NCTAVIFile.dll
C:\Windows\System32\NCTQuickTimeFile.dll
C:\Windows\System32\NCTVideoCoreM.dll
C:\Windows\System32\NCTWMAFile2.dll
C:\Windows\System32\opnliGvs.dll
I tried hitting remove again and it still won't work.