Virtumode?

**davidx76** · 2007-12-02, 21:11

I've been having strange occurances of IE starting up and loading random websites recently (although for regular browsing I use Firefox) and also my Symantec antivirus has found Trojan.Vundo. I deleted it, but it returned. I deleted it again and has not returned but I still have the problems with IE running now and again. I've followed some advice from other threads and tried using VundoFix, but no files are found. Also, I tried using the online virus search suggested in the sticky but it failed.

I've ran Spybot S&D and the Vundo was there also but after several scans it seems to have gone (also ran it in safe mode and the system was clean). But the problem still exists.

Finally, although my antivirus and firewall is up to date I tried to do windows update with IE and then a new IE browser opens and goes to some webpage with "Sorry this page no longer available", so I close both IE windows, I'm not sure if it is safe to use IE?

Thanks in advance for your help,
Dave

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:14 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
I:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\ehome\ehtray.exe
I:\WINDOWS\stsystra.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
I:\WINDOWS\System32\DLA\DLACTRLW.EXE
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
I:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\uTorrent\uTorrent.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
I:\Program Files\Skype\Phone\Skype.exe
I:\Program Files\Skype\Plugin Manager\skypePM.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ehTray] I:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [DLA] I:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "I:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190756595031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - I:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 7976 bytes

**ken545** · 2007-12-03, 04:03

Hello Dave

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Your log basically looks fine, but lets do a few things.

Download CCleaner from here to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Please download SuperAntiSpyware
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

This is important , do this before you post a new log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Dave.exe

Let me see the SAS report and a new HJT log renamed to Dave.exe please

**davidx76** · 2007-12-03, 06:03

Hi Ken,

Thaks for the advice.
I've run CCleaner and also the SAS, the log for SAS is below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2007 at 11:23 PM

Application Version : 3.9.1008

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 00:43:47

Memory items scanned : 590
Memory threats detected : 3
Registry items scanned : 6261
Registry threats detected : 15
File items scanned : 36068
File threats detected : 17

Adware.Vundo-Variant/Small
I:\WINDOWS\SYSTEM32\OPNLJJH.DLL
I:\WINDOWS\SYSTEM32\OPNLJJH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}
HKCR\CLSID\{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}
HKCR\CLSID\{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}\InprocServer32
HKCR\CLSID\{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\opnljjh

Unclassified.Unknown Origin/System
I:\WINDOWS\SYSTEM32\JKHHI.DLL
I:\WINDOWS\SYSTEM32\JKHHI.DLL

Trojan.Downloader-NewJuan/VM
I:\WINDOWS\SYSTEM32\AARJRXCF.DLL
I:\WINDOWS\SYSTEM32\AARJRXCF.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{26F04ACF-2AA0-408A-AA5D-F81FCAA0A65D}
HKCR\CLSID\{26F04ACF-2AA0-408A-AA5D-F81FCAA0A65D}
HKCR\CLSID\{26F04ACF-2AA0-408A-AA5D-F81FCAA0A65D}\InprocServer32
HKCR\CLSID\{26F04ACF-2AA0-408A-AA5D-F81FCAA0A65D}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26F04ACF-2AA0-408A-AA5D-F81FCAA0A65D}

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{321d26bd-16f2-41b9-9b72-86ed05967bc0}
HKCR\CLSID\{321D26BD-16F2-41B9-9B72-86ED05967BC0}
HKCR\CLSID\{321D26BD-16F2-41B9-9B72-86ED05967BC0}\InprocServer32
HKCR\CLSID\{321D26BD-16F2-41B9-9B72-86ED05967BC0}\InprocServer32#ThreadingModel
I:\WINDOWS\SYSTEM32\MKYVHTSU.DLL

Adware.Tracking Cookie
I:\Documents and Settings\Dave\Cookies\dave@lynxtrack[1].txt
I:\Documents and Settings\Dave\Cookies\dave@imrworldwide[2].txt
I:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt
I:\Documents and Settings\Dave\Cookies\dave@overture[1].txt
I:\Documents and Settings\Dave\Cookies\dave@indiads[1].txt
I:\Documents and Settings\Dave\Cookies\dave@adbrite[2].txt
I:\Documents and Settings\Dave\Cookies\dave@traffic.uusee[1].txt
I:\Documents and Settings\Dave\Cookies\dave@ads.adbrite[1].txt
I:\Documents and Settings\Dave\Cookies\dave@path.pureadstracking[1].txt
I:\Documents and Settings\Dave\Cookies\dave@2o7[2].txt
I:\Documents and Settings\Dave\Cookies\dave@richmedia.yahoo[1].txt
I:\Documents and Settings\Dave\Cookies\dave@findwhat[1].txt

Adware.Vundo/Traff-2
I:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\SYMANTEC ANTIVIRUS CORPORATE EDITION\7.5\APTEMP\APQ288.TMP

---

I did have to reboot after the scan - and upon startup my Symantec AV immediately detected a Trojan.Vundo and automatically cleaned it.

I also renamed HJT and ran it again, here is the output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:17 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
I:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\ehome\ehtray.exe
I:\WINDOWS\stsystra.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
I:\WINDOWS\System32\DLA\DLACTRLW.EXE
I:\WINDOWS\eHome\ehmsas.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
I:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
I:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\wuauclt.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\Trend Micro\HijackThis\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {26F04ACF-2AA0-408A-AA5D-F81FCAA0A65D} - (no file)
O2 - BHO: (no name) - {44F5A19C-ACFE-437A-BD28-FD15DE5515EE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - I:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50} - (no file)
O4 - HKLM\..\Run: [ehTray] I:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [DLA] I:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "I:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190756595031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - I:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: opnljjh - I:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8598 bytes

Once again, I really appreciate your help with this,
Dave

**ken545** · 2007-12-03, 11:58

Good Morning Dave,

SAS removed most of Vundo but sometimes it brings other bad things with it. Lets do this.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {26F04ACF-2AA0-408A-AA5D-F81FCAA0A65D} - (no file)
O2 - BHO: (no name) - {44F5A19C-ACFE-437A-BD28-FD15DE5515EE} - (no file)
O2 - BHO: (no name) - {79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50} - (no file)

O20 - Winlogon Notify: opnljjh - I:\WINDOWS\

This program will pick up any leftover Vundo files if there are any left.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

FYI, the thieves that have written Vundo have written it to go undected by HJT and by renaming HJT to something else, if Vundo is present it will then show up on your log....it did

Post the Combofix log and a New HJT log please

**davidx76** · 2007-12-04, 01:37

Hi ken,

Here is the Combofix log:

ComboFix 07-12-02.7 - Dave 2007-12-03 19:18:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1421 [GMT -5:00]
Running from: I:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\WINDOWS\system32\ihhkj.ini
I:\WINDOWS\system32\ihhkj.ini2
I:\WINDOWS\system32\neidvgbm.dll
I:\WINDOWS\system32\tbphvbsc.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 22:37 . 2007-12-02 22:37 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-02 22:36 . 2007-12-02 23:58 <DIR> d-------- I:\Program Files\SUPERAntiSpyware
2007-12-02 22:36 . 2007-12-02 22:36 <DIR> d-------- I:\Documents and Settings\Dave\Application Data\SUPERAntiSpyware.com
2007-12-02 22:29 . 2007-12-02 22:29 <DIR> d-------- I:\Program Files\CCleaner
2007-12-02 14:55 . 2007-12-02 14:55 <DIR> d-------- I:\Program Files\Trend Micro
2007-12-01 11:07 . 2007-12-01 11:07 <DIR> d-------- I:\WINDOWS\system32\Kaspersky Lab
2007-12-01 11:07 . 2007-12-01 11:07 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-01 10:34 . 2007-12-01 10:34 <DIR> d-------- I:\VundoFix Backups
2007-12-01 08:04 . 2007-12-01 10:34 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 21:52 . 2003-06-18 17:31 17,920 --a------ I:\WINDOWS\system32\mdimon.dll
2007-11-29 21:52 . 2007-11-29 21:52 376 --a------ I:\WINDOWS\ODBC.INI
2007-11-29 21:51 . 2007-11-29 21:51 <DIR> d-------- I:\Program Files\Microsoft ActiveSync
2007-11-29 21:50 . 2007-11-29 21:51 <DIR> d-------- I:\WINDOWS\SHELLNEW
2007-11-29 21:50 . 2007-11-29 21:50 <DIR> d-------- I:\Program Files\Microsoft.NET
2007-11-23 03:07 . 2007-11-23 03:07 <DIR> d-------- I:\WINDOWS\system32\Dell
2007-11-06 21:15 . 2007-11-06 21:15 <DIR> d-------- I:\Program Files\Macromedia
2007-11-06 21:15 . 2007-11-06 21:15 <DIR> d-------- I:\Program Files\Common Files\Macromedia
2007-11-06 21:14 . 2007-11-06 21:14 <DIR> d-------- I:\WINDOWS\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 00:15 --------- d-----w I:\Documents and Settings\Dave\Application Data\uTorrent
2007-12-04 00:09 --------- d-----w I:\Program Files\Mozilla Thunderbird
2007-12-03 04:54 --------- d-----w I:\Program Files\Common Files\Symantec Shared
2007-12-03 03:36 --------- d-----w I:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 22:17 --------- d-----w I:\Documents and Settings\Dave\Application Data\Skype
2007-11-17 18:14 --------- d-----w I:\Program Files\SopCast
2007-11-01 01:15 --------- d-----w I:\Documents and Settings\Dave\Application Data\Ahead
2007-10-29 23:25 --------- d-----w I:\Program Files\uTorrent
2007-10-20 19:51 --------- d-----w I:\Program Files\TVUPlayer
2007-10-20 19:51 --------- d-----w I:\Documents and Settings\Dave\Application Data\TVU Networks
2007-10-15 03:24 --------- d-----w I:\Program Files\Neat Image
2007-10-15 03:07 --------- d--h--w I:\Program Files\InstallShield Installation Information
2007-10-15 03:07 --------- d-----w I:\Program Files\Picasa2
2007-10-15 03:07 --------- d-----w I:\Program Files\CoffeeCup Software
2007-10-15 03:07 --------- d-----w I:\Documents and Settings\Dave\Application Data\CoffeeCup Software
2007-10-15 03:06 --------- d-----w I:\Program Files\Google
2007-10-13 02:45 --------- d-----w I:\Program Files\Samsung ML-2010 Series
2007-10-13 02:45 --------- d-----w I:\Program Files\Common Files\InstallShield
2007-10-10 00:50 --------- d-----w I:\Documents and Settings\Dave\Application Data\ACD Systems
2007-10-10 00:31 --------- d-----w I:\Program Files\Installs
2007-10-08 23:54 --------- d-----w I:\Program Files\MSXML 4.0
2007-10-08 03:07 --------- d-----w I:\Documents and Settings\Dave\Application Data\Apple Computer
2007-10-08 02:08 --------- d-----w I:\Program Files\QuickTime
2007-10-08 02:08 --------- d-----w I:\Program Files\iTunes
2007-10-08 02:08 --------- d-----w I:\Program Files\iPod
2007-10-08 02:08 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-08 02:07 --------- d-----w I:\Program Files\Common Files\Apple
2007-10-08 02:07 --------- d-----w I:\Program Files\Apple Software Update
2007-10-08 02:07 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple
2007-10-08 02:03 --------- d-----w I:\Program Files\Common Files\Ahead
2007-10-08 02:03 --------- d-----w I:\Documents and Settings\All Users\Application Data\Ahead
2007-10-08 02:02 --------- d-----w I:\Program Files\Nero
2007-10-08 02:02 --------- d-----w I:\Documents and Settings\All Users\Application Data\Nero
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"SpybotSD TeaTimer"="I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="I:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 06:00 I:\WINDOWS\system32\rundll32.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 I:\WINDOWS\stsystra.exe]
"ccApp"="I:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 16:38]
"vptray"="I:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 18:49]
"DLA"="I:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 04:20]
"TkBellExe"="I:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-27 07:24]
"Adobe Reader Speed Launcher"="I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"NeroFilterCheck"="I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="I:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Samsung Common SM"="I:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-03-14 00:01]

I:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - I:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-09-20 20:07:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= I:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= I:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= I:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
I:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 I:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 EAPPkt;Realtek EAPPkt Protocol;I:\WINDOWS\system32\DRIVERS\EAPPkt.sys
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;I:\WINDOWS\system32\DRIVERS\wg111v2.sys
R3 SjyPkt;SjyPkt;\??\I:\WINDOWS\System32\Drivers\SjyPkt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 04:23:01 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- I:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 19:21:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 19:23:08 - machine was rebooted
.
--- E O F ---
---

And here is a HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:35 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
I:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\ehome\ehtray.exe
I:\WINDOWS\stsystra.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
I:\WINDOWS\System32\DLA\DLACTRLW.EXE
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
I:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\Trend Micro\HijackThis\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - I:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [ehTray] I:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [DLA] I:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "I:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190756595031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - I:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - I:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8239 bytes

I also fixed the entries that you listed.

Cheers,
Dave

**ken545** · 2007-12-04, 02:18

Hello Dave,

Your log looks fine

I:\VundoFix Backups <-- you can delete this folder

How are things running now ??

**davidx76** · 2007-12-04, 02:50

Hi Ken,

Things are running fine at the moment, haven't had any more virus alerts and IE is behaving itself too!

Thanks for all of your help, I really appreciate it!

Dave

**ken545** · 2007-12-04, 03:12

Your very welcome David <--My sons name

Go to Start > Run and copy and paste ComboFix /u into the box
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
TonyKlein CastleCops
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.

Glad we could help

Safe Surfn
Ken

Thread: Virtumode?

Thread Tools

Display

Virtumode?

Posting Permissions