Trojan.vundo cannot remove [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Trojan.vundo cannot remove [Solved] Unable to remove with Vundofix.exe or Virtumundobegone

#1 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 20 December 2008 - 11:11 PM

Hey guys! My friend has a tough vundo file that is refusing to go away. We have scanned with Super Anti-spyware, AVG, Malwarebytes, and now Kaspersky online and a HJT log. Thanks so much in advance. I am going to post the Malwarebytes log and the nthe HJT log.

Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 3

12/20/2008 5:43:23 PM
mbam-log-2008-12-20 (17-43-23).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 163633
Time elapsed: 1 hour(s), 11 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcapl oader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWA RE\Microsoft\Windows\Curr entVersion\ModuleUsage\c: /windows/downloaded program files/conflict.2/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib \{c9c5deaf-0a1f-4660-8279 -9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interfa ce\{e4e3e0f8-cd30-4380-8c e9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interfa ce\{fe8a736f-4124-4d9c-b4 b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ df780f87-ff2b-4df8-92d0-7 3db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWA RE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8 -92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcapl oader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ 6d794cb4-c7cd-4c6f-bfdc-9 b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWAR E\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWA RE\Microsoft\Windows\Curr entVersion\Run\5cfd4d02 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWA RE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\ WINDOWS\Downloaded Program Files\CONFLICT.2\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWA RE\Microsoft\Windows\Curr entVersion\Run\ykegudulig e (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWA RE\Microsoft\Windows\Curr entVersion\Run\lvife (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile \shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile \shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D7BD 54B8-C977-4903-8CE7-9415B 851EC71}\RP118\A0013016.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\ucasukin.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Qgivihitama.dat (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Compaq_Administr ator\Application Data\TmpRecentIcons\MS Antivirus.lnk (Rogue.Link) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 3

12/20/2008 7:40:47 PM
mbam-log-2008-12-20 (19-40-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 163367
Time elapsed: 1 hour(s), 11 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ 6d794cb4-c7cd-4c6f-bfdc-9 b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:53 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlo gon.exe
C:\WINDOWS\system32\servi ces.exe
C:\WINDOWS\system32\lsass .exe
C:\WINDOWS\system32\Ati2e vxx.exe
C:\WINDOWS\system32\svcho st.exe
C:\WINDOWS\System32\svcho st.exe
C:\WINDOWS\system32\Ati2e vxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool sv.exe
C:\PROGRA~1\AVG\AVG8\avgt ray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\QuickTime\qttask.exe
C:\hp\drivers\hplsbwatche r\lsburnwatcher.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmo n.exe
C:\Program Files\SUPERAntiSpyware\SU PERAntiSpyware.exe
C:\PROGRA~1\WALGRE~1\WALG RE~1\data\xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgw dsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxddc oms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svcho st.exe
C:\Program Files\Viewpoint\Common\Vi ewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgr sx.exe
C:\PROGRA~1\AVG\AVG8\avge mc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dllho st.exe
C:\WINDOWS\System32\svcho st.exe
c:\windows\system\hpsysdr v.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iPod\bin\iPodServic e.exe
C:\Program Files\Common Files\InstallShield\Updat eService\issch.exe
C:\WINDOWS\system32\rundl l32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackTh is.exe

R1 - HKCU\Software\Microsoft\I nternet Explorer\Main,Default_Pag e_URL = http://ie.redirect.h...s/rdr?TYPE=3 =ie...
R1 - HKCU\Software\Microsoft\I nternet Explorer\Main,Default_Sea rch_URL = http://ie.redirect.h...s/rdr?TYPE=3 =ie...
R1 - HKCU\Software\Microsoft\I nternet Explorer\Main,Search Bar = http://ie.redirect.h...s/rdr?TYPE=3 =ie...
R1 - HKCU\Software\Microsoft\I nternet Explorer\Main,Search Page = http://ie.redirect.h...s/rdr?TYPE=3 =ie...
R0 - HKCU\Software\Microsoft\I nternet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\I nternet Explorer\Main,Default_Pag e_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\I nternet Explorer\Main,Default_Sea rch_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\I nternet Explorer\Main,Search Bar = http://ie.redirect.h...s/rdr?TYPE=3 =ie...
R1 - HKLM\Software\Microsoft\I nternet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\I nternet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\I nternet Explorer\Search,SearchAss istant = http://ie.redirect.h...s/rdr?TYPE=3 =ie...
R0 - HKCU\Software\Microsoft\I nternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\I nternet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51- 7695ECA05670} - (no file)
O2 - BHO: {514a14e1-fd2e-8018-a2e4- a5c62a8a9e83} - {38e9a8a2-6c5a-4e2a-8108- e2df1e41a415} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E- 4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {64C312FF-E16D-4BDE-880A- 6294D4687378} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB- D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990- 79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGT OO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333- CF10577473F7} - c:\program files\google\googletoolba r1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74- 9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ss v.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18- 009027A5CD4F} - c:\program files\google\googletoolba r1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990- 79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGT OO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgt ray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\real sched.exe" -osboot
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatche r\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INST AL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmo n.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SU PERAntiSpyware.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALG RE~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolba r1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolba r1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolba r1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~ 1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolba r1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolba r1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE- 3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFI CE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F- 462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPC TR\Vendors\CN=Hewlett-Pac kard,L=Cupertino,S=Ca,C=U S\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F- 462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPC TR\Vendors\CN=Hewlett-Pac kard,L=Cupertino,S=Ca,C=U S\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7- f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7- f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E- 00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E- 00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC- 220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...mework/v10/ZInt ro.c...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1- FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ipneyy.dll,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SA SWINLO.dll
O20 - Winlogon Notify: ljJDSLBu - ljJDSLBu.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2e vxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avge mc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgw dsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiViru s\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodServic e.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddc oms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vi ewpointService.exe

--
End of file - 8958 bytes

#2 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 21 December 2008 - 06:55 AM

Do you have the Kaspersky log ?

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
Under File Age at the top, change it from 30 days to 90 days
Under Additional Scans check the boxes beside Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - NetSvcs, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
Under Rootkit Search change it to Yes
Under the Custom Scans box at the bottom left paste the following in

%systemroot%\Prefetch\*.* /s
%systemroot%\system32\drivers\*.dat
%systemroot%\Temp\bca4e2da.$$$
%systemroot%\Temp\ed47fa.$
%systemroot%\Temp\fa56d7ec.$$$
%systemroot%\System32\antiwpa.dll
%systemroot%\Pack.epk
%ProgramFiles%\MSN Messenger\*.zip
%ProgramFiles%\MSN Messenger\*.exe
%ProgramFiles%\MSN Messenger\*.rar
%PROGRAMFILES%\*crack*.
%PROGRAMFILES%\*keygen*.
%SYSTEMDRIVE%\*crack*.
%SYSTEMDRIVE%\*keygen*.
%SYSTEMDRIVE%\*.zip
%SYSTEMDRIVE%\*.rar
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\*.dll
%systemroot%\*.zip
%systemroot%\*.rar
%systemroot%\system32\*.zip
%systemroot%\system32\*.rar
%PROGRAMFILES%\*.zip
%PROGRAMFILES%\*.rar
%PROGRAMFILES%\*.exe
%PROGRAMFILES%\*.dll
%DESKTOP%\*.zip
%DESKTOP%\*.rar
%DESKTOP%\*.exe
%DESKTOP%\*crack*.
%DESKTOP%\*keygen*.
%PROGRAMFILES%\Common Files\*.*
%PROGRAMFILES%\Common Files\*bak*.
%systemroot%\SYSTEM32\*bak*.
%PROGRAMFILES%\*bak*.
%systemroot%\ime\imjp8_1\*bak*.
%PROGRAMFILES%\QuickTime\*bak*.
%PROGRAMFILES%\Viewpoint\Viewpoint Manager\*bak*.
%PROGRAMFILES%\Analog Devices\Core\*bak*.
%USERNAME%\*.zip
%USERNAME%\*.rar
%USERNAME%\*.exe
%USERPROFILE%\*.zip
%USERPROFILE%\*.rar
%USERPROFILE%\*.exe
%ALLUSERSPROFILE%\*.zip
%ALLUSERSPROFILE%\*.rar
%ALLUSERSPROFILE%\*.exe
%APPDATA%\*.zip
%APPDATA%\*.rar
%APPDATA%\*.exe
%ALLUSERSSTARTMENU%\*.zip
%ALLUSERSSTARTMENU%\*.rar
%ALLUSERSSTARTMENU%\*.exe
%ALLUSERSSTARTUP%\*.zip
%ALLUSERSSTARTUP%\*.rar
%ALLUSERSSTARTUP%\*.exe
%ALLUSERSPROGRAMS%\*.zip
%ALLUSERSPROGRAMS%\*.rar
%ALLUSERSPROGRAMS%\*.exe
%ALLUSERSAPPDATA%\*.zip
%ALLUSERSAPPDATA%\*.rar
%ALLUSERSAPPDATA%\*.exe
%APPDATA%\*.zip
%APPDATA%\*.rar
%APPDATA%\*.exe
%APPDATA%\*.dat
%APPDATA%\*.dll
%QUICKLAUNCH%\*.zip
%QUICKLAUNCH%\*.rar
%QUICKLAUNCH%\*.exe
%STARTUP%\*.zip
%STARTUP%\*.rar
%STARTUP%\*.exe
%STARTMENU%\*.zip
%STARTMENU%\*.rar
%STARTMENU%\*.exe
%MYDOCUMENTS%\*.zip
%MYDOCUMENTS%\*.rar
%MYDOCUMENTS%\*.exe
%MYDOCUMENTS%\*crack*.
%MYDOCUMENTS%\*keygen*.
%PROGRAMFILES%\Mozilla Firefox\plugins\*.*
%PROGRAMFILES%\Internet Explorer\*.*
%PROGRAMFILES%\Mozilla Firefox\*.zip /s
%PROGRAMFILES%\Mozilla Firefox\*.rar /s
%PROGRAMFILES%\Mozilla Firefox\*.exe /s
%PROGRAMFILES%\Internet Explorer\*.zip /s
%PROGRAMFILES%\Internet Explorer\*.rar /s
%PROGRAMFILES%\Internet Explorer\*.exe /s
%SYSTEMDRIVE%\*.dat
%SYSTEMDRIVE%\*.sys
%SYSTEMROOT%\*.dat
%SYSTEMROOT%\*.sys
%systemroot%\system32\drivers\*.exe /s
%systemroot%\system32\drivers\*.zip /s
%systemroot%\system32\drivers\*.rar /s
%systemroot%\system\*.exe /s
%systemroot%\system\*.zip /s
%systemroot%\system\*.rar /s
%systemroot%\AppPatch\*.exe /s
%systemroot%\AppPatch\*.zip /s
%systemroot%\AppPatch\*.rar /s
%systemroot%\Cache\*.*
%systemroot%\Downloaded Program Files\*.*
%systemroot%\Fonts\*.exe /s
%systemroot%\Fonts\*.zip /s
%systemroot%\Fonts\*.rar /s
%systemroot%\Fonts\*.dll /s
%systemroot%\Help\*.exe /s
%systemroot%\Help\*.zip /s
%systemroot%\Help\*.rar /s
%systemroot%\Tasks\*.*
%APPDATA%\*.sys
%APPDATA%\Google\*.*
%systemroot%\system32\serauth1.dll
%systemroot%\system32\serauth2.dll
%systemroot%\system32\sysaudio.sys
%PROGRAMFILES%\*TinyProxy*.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla|extensions /rs
%systemroot%\system32\inf\*.exe /s
%systemroot%\system32\inf\*.zip /s
%systemroot%\system32\inf\*.rar /s
%systemroot%\system32\inf\*.dll /s
%PROGRAMFILES%\Bitlord\Downloads\*.zip /s
%PROGRAMFILES%\Bitlord\Downloads\*.rar /s
%PROGRAMFILES%\Bitlord\Downloads\*.exe /s
%PROGRAMFILES%\Bitlord\Downloads\*crack*.
%PROGRAMFILES%\Bitlord\Downloads\*keygen*.
%PROGRAMFILES%\eMule\Incoming\*.zip /s
%PROGRAMFILES%\eMule\Incoming\*.rar /s
%PROGRAMFILES%\eMule\Incoming\*.exe /s
%PROGRAMFILES%\eMule\Incoming\*crack*.
%PROGRAMFILES%\eMule\Incoming\*keygen*.
%ProgramFiles%\Bittorent\downloads\*.zip /s
%ProgramFiles%\Bittorent\downloads\*.exe /s
%ProgramFiles%\Bittorent\downloads\*.rar /s
%PROGRAMFILES%\Bittorent\Downloads\*crack*.
%PROGRAMFILES%\Bittorent\Downloads\*keygen*.
%ProgramFiles%\Bearshare\Shared\*.zip /s
%ProgramFiles%\Bearshare\Shared\*.exe /s
%ProgramFiles%\Bearshare\Shared\*.rar /s
%ProgramFiles%\Bearshare\Shared\*crack*.
%ProgramFiles%\Bearshare\Shared\*keygen*.
%ProgramFiles%\Morpheus\My Shared Folder\*.zip /s
%ProgramFiles%\Morpheus\My Shared Folder\*.exe /s
%ProgramFiles%\Morpheus\My Shared Folder\*.rar /s
%ProgramFiles%\Morpheus\My Shared Folder\*crack*.
%ProgramFiles%\Morpheus\My Shared Folder\*keygen*.
%ProgramFiles%\uTorrent\Downloads\*.zip /s
%ProgramFiles%\uTorrent\Downloads\*.exe /s
%ProgramFiles%\uTorrent\Downloads\*.rar /s
%ProgramFiles%\uTorrent\Downloads\*crack*.
%ProgramFiles%\uTorrent\Downloads\*keygen*.
%ProgramFiles%\Kazaa Lite\My Shared Folder\*.zip /s
%ProgramFiles%\Kazaa Lite\My Shared Folder\*.exe /s
%ProgramFiles%\Kazaa Lite\My Shared Folder\*.rar /s
%ProgramFiles%\Kazaa Lite\My Shared Folder\*crack*.
%ProgramFiles%\Kazaa Lite\My Shared Folder\*keygen*.
%ProgramFiles%\Kazaa\My Shared Folder\*.zip /s
%ProgramFiles%\Kazaa\My Shared Folder\*.exe /s
%ProgramFiles%\Kazaa\My Shared Folder\*.rar /s
%ProgramFiles%\Kazaa\My Shared Folder\*crack*.
%ProgramFiles%\Kazaa\My Shared Folder\*keygen*.
%ProgramFiles%\Icq\Shared Files\*.zip /s
%ProgramFiles%\Icq\Shared Files\*.exe /s
%ProgramFiles%\Icq\Shared Files\*.rar /s
%ProgramFiles%\Icq\Shared Files\*crack*.
%ProgramFiles%\Icq\Shared Files\*keygen*.
%ProgramFiles%\Direct Connect\Received Files\*.zip /s
%ProgramFiles%\Direct Connect\Received Files\*.exe /s
%ProgramFiles%\Direct Connect\Received Files\*.rar /s
%ProgramFiles%\Direct Connect\Received Files\*crack*.
%ProgramFiles%\Direct Connect\Received Files\*keygen*.
Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

#3 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 21 December 2008 - 02:46 PM

Here is the Kaspersky log and I will post the log from OTScanIt2 after it runs.

Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - File:

Scan statistics:
Files scanned: 107410
Threat name: 11
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 01:46:20

File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenStream.c 4
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenConnection.aj 2
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Exploit.Java.ByteVerify 7
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenConnection.ao 1
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan.Java.ClassLoader.au 1
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.Agent.a 1
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan.Java.ClassLoader.as 3
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenConnection.ap 4
C:\Documents and Settings\Compaq_Administr ator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenStream.ac 2
C:\hp\bin\wbug\HPSummer20 05.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolba r\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
D:\I386\Apps\APP20301\src \HPSummer2005.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1

The selected area was scanned.

#4 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 21 December 2008 - 03:23 PM

OK, the scan went very fast and acted weird. When it was trying to scan one of the drivers, it froze and then a CMD box with catchme popped up and gave me this log.

OTScanLog_1.txt (55.68K)
Number of downloads: 167

#5 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 21 December 2008 - 04:40 PM

I need you to do the OTScanIt2 step again, but make sure wordwrap is off first

To do that, open notepad, click Format, uncheck wordwrap

Please download the OTMoveIt3 by OldTimer or from here.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services

:Reg

:Files
C:\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf
C:\hp\bin\wbug\HPSummer2005.exe 
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbar.EXE 
D:\I386\Apps\APP20301\src\HPSummer2005.exe 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

#6 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 21 December 2008 - 10:34 PM

Ok, I finally got a good copy from OTScanIt and here it is. I have already downloaded OTMoveIt3 and will run it after I post the ScanIt log. Thanks!

OTScanIt.zip (37.87K)
Number of downloads: 127

#7 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 21 December 2008 - 10:51 PM

Here is the OTMoveit3 Log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf moved successfully.
C:\hp\bin\wbug\HPSummer2005.exe moved successfully.
File/Folder C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbar.EXE not found.
D:\I386\Apps\APP20301\src\HPSummer2005.exe moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_52c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12212008_213558

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_52c.dat not found!

#8 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 22 December 2008 - 07:03 AM

Hello

Start OTScanIt2. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Quote

[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YN -> superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe
YY -> viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe
[Win32 Services - Safe List]
YY -> (WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {38e9a8a2-6c5a-4e2a-8108-e2df1e41a415} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {64C312FF-E16D-4BDE-880A-6294D4687378} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value does not exist or could not be read.]
YN -> CmdMapping\\"{E2D4D26B-0180-43a4-B05F-462D6D54C789}" [HKLM] -> [Connection Help]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> ipneyy.dll ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> ljJDSLBu ->
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\mlJYomnm ->
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
[Files/Folders - Created Within 90 Days]
NY -> TeamViewer_Setup.exe -> %UserProfile%\Desktop\TeamViewer_Setup.exe
NY -> TeamViewerQS.exe -> %UserProfile%\Desktop\TeamViewerQS.exe
NY -> vnc-4_1_3-x86_win32.exe -> %UserProfile%\Desktop\vnc-4_1_3-x86_win32.exe
NY -> vnc-4_1_3-x86_win32.zip -> %UserProfile%\Desktop\vnc-4_1_3-x86_win32.zip
NY -> HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk
NY -> HJTInstall.exe -> %UserProfile%\Desktop\HJTInstall.exe
NY -> VirtumundoBeGone.exe -> %UserProfile%\Desktop\VirtumundoBeGone.exe
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe
NY -> Dial-a-fix-v0.60.0.24.zip -> %UserProfile%\My Documents\Dial-a-fix-v0.60.0.24.zip
NY -> arolusefubem.dll -> %SystemRoot%\arolusefubem.dll
NY -> unexugesavad.dll -> %SystemRoot%\unexugesavad.dll
NY -> mnmoYJlm.ini2 -> %SystemRoot%\System32\mnmoYJlm.ini2
NY -> mnmoYJlm.ini -> %SystemRoot%\System32\mnmoYJlm.ini
NY -> vpgnpqdl.job -> %SystemRoot%\tasks\vpgnpqdl.job
[File - Lop Check]
NY -> Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint
NY -> .bittorrent -> C:\Documents and Settings\Compaq_Administrator\Application Data\.bittorrent
NY -> Viewpoint -> C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint
NY -> vpgnpqdl.job -> C:\WINDOWS\Tasks\vpgnpqdl.job
[Custom Scans]
NY -> edunebuj.dat -> C:\WINDOWS\edunebuj.dat
NY -> popcaploader.inf -> C:\WINDOWS\Downloaded Program Files\popcaploader.inf
NY -> vpgnpqdl.job -> C:\WINDOWS\Tasks\vpgnpqdl.job
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

#9 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 22 December 2008 - 12:13 PM

Ok, I ran what you requested and it came back with two errors. "The application or DLL C:\WINDOWS\arolusesubem.dll is not a valid windows image." The second error was: "The application or DLL C:\WINDOWS\unexugesavad.dll is not a valid windows image." I had to reboot and here is a copy of the log.

BTW computer is running very slow...

Process Explorer.EXE killed successfully!
[Processes - Safe List]
Unable to kill active process superantispyware.exe!
No active process named viewpointservice.exe was found!
C:\Program Files\Viewpoint\Common\ViewpointService.exe moved successfully.
[Win32 Services - Safe List]
Service WMPNetworkSvc stopped successfully!
Service WMPNetworkSvc deleted successfully!
C:\Program Files\Windows Media Player\wmpnetwk.exe moved successfully.
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38e9a8a2-6c5a-4e2a-8108-e2df1e41a415}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38e9a8a2-6c5a-4e2a-8108-e2df1e41a415}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64C312FF-E16D-4BDE-880A-6294D4687378}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64C312FF-E16D-4BDE-880A-6294D4687378}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:ipneyy.dll deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljJDSLBu\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\mlJYomnm deleted successfully.
File not found.
[Files/Folders - Created Within 90 Days]
C:\Documents and Settings\Compaq_Administrator\Desktop\TeamViewer_Setup.exe moved successfully.
File C:\Documents and Settings\Compaq_Administrator\Desktop\TeamViewerQS.exe not found!
File C:\Documents and Settings\Compaq_Administrator\Desktop\vnc-4_1_3-x86_win32.exe not found!
File C:\Documents and Settings\Compaq_Administrator\Desktop\vnc-4_1_3-x86_win32.zip not found!
C:\Documents and Settings\Compaq_Administrator\Desktop\HijackThis.lnk moved successfully.
File C:\Documents and Settings\Compaq_Administrator\Desktop\HJTInstall.exe not found!
File C:\Documents and Settings\Compaq_Administrator\Desktop\VirtumundoBeGone.exe not found!
C:\VundoFix Backups folder moved successfully.
File C:\Documents and Settings\Compaq_Administrator\Desktop\mbam-setup.exe not found!
C:\Documents and Settings\Compaq_Administrator\My Documents\Dial-a-fix-v0.60.0.24.zip moved successfully.
LoadLibrary failed for C:\WINDOWS\arolusefubem.dll
C:\WINDOWS\arolusefubem.dll NOT unregistered.
C:\WINDOWS\arolusefubem.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\unexugesavad.dll
C:\WINDOWS\unexugesavad.dll NOT unregistered.
C:\WINDOWS\unexugesavad.dll moved successfully.
C:\WINDOWS\System32\mnmoYJlm.ini2 moved successfully.
C:\WINDOWS\System32\mnmoYJlm.ini moved successfully.
C:\WINDOWS\tasks\vpgnpqdl.job moved successfully.
[File - Lop Check]
C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\.bittorrent\data\resume folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\.bittorrent\data\metainfo folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\.bittorrent\data folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\.bittorrent folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03 folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02 folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01 folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00 folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint\Viewpoint Media Player\Resources folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint\Viewpoint Media Player folder moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint folder moved successfully.
File C:\WINDOWS\Tasks\vpgnpqdl.job not found!
[Custom Scans]
C:\WINDOWS\edunebuj.dat moved successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.inf moved successfully.
File/Folder C:\WINDOWS\Tasks\vpgnpqdl.job not found.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\MSI64028.LOG scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.3.1 fix logfile created on 12222008_105759

Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
C:\WINDOWS\temp\MSI64028.LOG moved successfully.

Registry entries deleted on Reboot...

#10 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 22 December 2008 - 12:16 PM

Here is GoredFix Log:

GooredFix v1.5 by jpshortstuff
Log created at 11:15 on 22/12/2008 running Option #1

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{0F2576E0-FC9F-4F29-AA50-CCF97C6B7C49}"="C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\{0F2576E0-FC9F-4F29-AA50-CCF97C6B7C49}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{0F2576E0-FC9F-4F29-AA50-CCF97C6B7C49}"="C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\{0F2576E0-FC9F-4F29-AA50-CCF97C6B7C49}"

#11 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 22 December 2008 - 05:01 PM

hello

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

#12 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 22 December 2008 - 05:05 PM

Here is the log...

GooredFix v1.5 by jpshortstuff
Log created at 16:04 on 22/12/2008 running Option #2

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{0F2576E0-FC9F-4F29-AA50-CCF97C6B7C49}"="C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\{0F2576E0-FC9F-4F29-AA50-CCF97C6B7C49}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\{0F2576E0-FC9F-4F29-AA50-CCF97C6B7C49}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Thanks so much for your help!

#13 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 22 December 2008 - 05:07 PM

hello

Please download ATF Cleaner by Atribune.

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#14 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 22 December 2008 - 05:22 PM

Scanned and cleaned with ATF and Malwarebytes'. Here is the log from Malwarebytes'

Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 5.1.2600 Service Pack 3

12/22/2008 4:18:04 PM
mbam-log-2008-12-22 (16-18-04).txt

Scan type: Quick Scan
Objects scanned: 55057
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky scanning and log on the way...

#15 JON B

Group: Member
Posts: 83
Joined: 18-November 08

Posted 23 December 2008 - 12:43 AM

Hello,

The Malwarebytes' scan went fine and it found 1 infected file with Trojan.Vundo. I accidentally hit the button to not restart now and then I hit restart and the Trojan did not delete. I have ran the scan 5 times now with the same result. I finally got a log from Kaspersky but it took forever just trying to get the scan log to save because the computer was so taxed on resources. Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 23, 2008 00:43:41
Records in database: 1502447
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 108614
Threat name: 11
Infected objects: 29
Suspicious objects: 0
Duration of the scan: 01:55:17

File name / Threat name / Threats count
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenStream.c 4
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenConnection.aj 2
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Exploit.Java.ByteVerify 7
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenConnection.ao 1
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan.Java.ClassLoader.au 1
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.Agent.a 1
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan.Java.ClassLoader.as 3
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenConnection.ap 4
C:\_OTMoveIt\MovedFiles\12212008_213558\Documents and Settings\Compaq_Administrator\Desktop\Backup.bkf Infected: Trojan-Downloader.Java.OpenStream.ac 2
C:\_OTMoveIt\MovedFiles\12212008_213558\hp\bin\wbug\HPSummer2005.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\_OTMoveIt\MovedFiles\12212008_213558\I386\Apps\APP20301\src\HPSummer2005.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1
D:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP136\A0016332.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1

The selected area was scanned.

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Trojan.vundo cannot remove [Solved] - Geeks to Go Forums