PDA

View Full Version : Vundo virus awvvt.dll



redwingsoh
2008-01-28, 03:53
I appear to have the vundo virus. It has been identified by ad-aware and spybot but neither one can remove it. It always reappears. The file awvvt.dll is always identified in my system32 file but even if I try to remove it in safe mode it says it is being used by another program. Any help would be greatly appreciated. Here is a copy of my HiJack This Log.


Logfile of HijackThis v1.99.1
Scan saved at 8:40:33 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\John\MYDOCU~1\Programs\NORTON~1\navapw32.exe
C:\DOCUME~1\John\MYDOCU~1\Programs\ZONEAL~1\ZONEAL~1\zlclient.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\John\MYDOCU~1\Programs\NORTON~1\navapw32 .exe
C:\Program Files\LogMeIn\LogMeInSystray .exe
C:\DOCUME~1\John\MYDOCU~1\Programs\ZONEAL~1\ZONEAL~1\zlclient .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\AdvancedCleaner Free\ian_monitor .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Documents and Settings\John\My Documents\Programs\Norton Antivrus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvt.exe
O4 - HKLM\..\Run: [NAV Agent] C:\DOCUME~1\John\MYDOCU~1\Programs\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\DOCUME~1\John\MYDOCU~1\Programs\ZONEAL~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor .exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [a4b7127f] rundll32.exe "C:\WINDOWS\system32\tonhfjls.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Documents and Settings\John\My Documents\Programs\Norton Antivrus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks,

Redwings

ken545
2008-01-29, 03:20
Hello Redwings

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


You are indeed infected with the Vundo Trojan :red:

Lets do a few things.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**


Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.



Go to your Add Remove Programs in the Control Panel and uninstall Hijackthis 1.99.1 as its outdated and download and install the newer version by Trendmicro.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe


I need to see the Combofix log and a New HJT log by Trendmicro please.

redwingsoh
2008-01-29, 17:30
Here are the logs you requested. Thank you!

ComboFix 08-01-29.3 - John 2008-01-29 10:07:01.4 - NTFSx86
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvvt.dll
C:\Program Files\AdvancedCleaner Free\ian_monitor .exe
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\awvvt.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 10:16 . 2008-01-29 10:16 335,872 --a------ C:\WINDOWS\system32\awvvt.dll
2008-01-29 09:53 . 2008-01-29 09:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-27 18:10 . 2008-01-27 18:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-27 18:10 . 2008-01-27 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 06:59 . 2008-01-27 06:59 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-22 21:56 . 2008-01-22 21:56 4,608 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-21 16:35 . 2008-01-21 16:35 8,506,408 --a------ C:\Install_AIM59.exe
2008-01-18 15:44 . 2008-01-18 15:44 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-01-18 13:54 . 2008-01-18 13:54 <DIR> d-------- C:\Program Files\PQDVD
2008-01-18 13:51 . 2008-01-18 13:51 <DIR> d-------- C:\Documents and Settings\John\Application Data\vlc
2008-01-18 13:50 . 2008-01-18 13:50 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-18 13:15 . 2008-01-18 13:15 <DIR> d-------- C:\ConverterOutput
2008-01-18 13:12 . 2008-01-18 13:12 <DIR> d-------- C:\Program Files\Cucusoft
2008-01-16 20:37 . 2008-01-16 20:37 339,456 --a------ C:\WINDOWS\system32\RCX10D.tmp
2008-01-16 19:44 . 2008-01-29 10:16 <DIR> d-------- C:\Program Files\AdvancedCleaner Free
2008-01-16 19:44 . 2003-03-19 08:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-01-16 19:37 . 2008-01-16 19:37 31,232 --a------ C:\_YnJubV9zYV9iYW5uZXJfZ2F2X21hNA_Z2FtZQ_bm1fMTUxMDc2X0RBNzc2NzFFQjc1QjExREM4QzcwMTUxMDc2RERGRkZGX0Q2RTk3OUY3MTA1RTRGQzVCN0QzMjM2QzAwNDE5MTIy_.exe
2008-01-16 19:27 . 2008-01-16 19:27 45,640 --a------ C:\PerformanceOptimizerPre_Installer.exe
2008-01-15 14:34 . 2008-01-15 14:34 <DIR> d-------- C:\Documents and Settings\John\Application Data\Nexon
2008-01-15 14:29 . 2008-01-15 14:29 <DIR> d-------- C:\Nexon
2008-01-13 16:20 . 2008-01-13 16:20 339,456 --a------ C:\WINDOWS\system32\RCX10C.tmp
2008-01-07 19:34 . 2008-01-21 17:11 748 --a------ C:\WINDOWS\wininit.ini
2007-12-31 20:37 . 2007-12-31 20:37 <DIR> d-------- C:\Documents and Settings\John\Application Data\Uniblue
2007-12-31 20:07 . 2007-12-31 20:10 2,008 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-31 20:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-31 20:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-31 20:06 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-31 20:06 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-31 20:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-31 20:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-31 10:31 . 2008-01-29 08:13 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-31 08:12 . 2008-01-12 19:10 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-30 23:47 . 2007-12-31 20:12 380,416 --a------ C:\WINDOWS\mrofinu11.exe.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 03:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 03:45 --------- d-----w C:\Program Files\MSN Messenger
2008-01-28 17:48 --------- d-----w C:\Program Files\LogMeIn
2008-01-28 17:48 --------- d-----w C:\Program Files\iTunes
2008-01-28 01:22 --------- d-----w C:\Program Files\zilpe
2008-01-27 23:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-27 23:01 --------- d-----w C:\Documents and Settings\John\Application Data\Lavasoft
2008-01-21 21:44 --------- d-----w C:\Program Files\AIM
2008-01-21 21:37 --------- d-----w C:\Program Files\AOD
2008-01-17 00:37 31,232 ----a-w C:\_YnJubV9zYV9iYW5uZXJfZ2F2X21hNA_Z2FtZQ_bm1fMTUxMDc2X0RBNzc2NzFFQjc1QjExREM4QzcwMTUxMDc2RERGRkZGX0Q2RTk3OUY3MTA1RTRGQzVCN0QzMjM2QzAwNDE5MTIy_.exe
2008-01-07 23:48 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-27 22:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-26 01:32 --------- d-----w C:\Program Files\EA GAMES
2007-12-25 18:16 --------- d-----w C:\Program Files\WarRock
2007-12-25 14:31 --------- d--h--r C:\Documents and Settings\John\Application Data\SecuROM
2007-12-25 13:52 94,208 ----a-w C:\WINDOWS\DUMP8c51.tmp
2005-11-19 02:31 800,789 ----a-w C:\Documents and Settings\John\xw.exe
2005-06-21 02:07 280,064 ----a-w C:\Documents and Settings\John\Application Data\tizhook.bin
2005-06-21 02:07 154,384 ----a-w C:\Documents and Settings\John\Application Data\tizupd.bin
2005-02-15 20:45 456,208 ----a-w C:\Documents and Settings\procexpnt\procexp.exe
2004-08-07 19:14 187,904 ----a-w C:\Documents and Settings\HiJackThis\HijackThis.exe
2002-12-16 20:41 66,949 ----a-r C:\Documents and Settings\Drivers\AFLASH.EXE
.

<pre>
----a-w 75,384 2008-01-28 01:39:02 C:\Documents and Settings\John\My Documents\Programs\Norton Antivrus\navapw32 .exe
----a-w 693,520 2008-01-28 01:39:04 C:\Documents and Settings\John\My Documents\Programs\Zone Alarm\ZoneAlarm\zlclient .exe
----a-w 57,344 2008-01-12 05:06:52 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w 581,632 2008-01-29 15:16:21 C:\Program Files\AdvancedCleaner Free\ian_monitor .exe
----a-w 66,672 2008-01-17 01:51:57 C:\Program Files\AIM\aim .exe
----a-w 344,064 2008-01-04 20:39:42 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 256,576 2008-01-28 01:39:04 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 36,975 2008-01-11 15:19:18 C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w 303,856 2008-01-28 01:39:04 C:\Program Files\LogMeIn\LogMeInSystray .exe
----a-w 5,354,792 2007-12-31 13:05:11 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 282,624 2008-01-11 15:19:23 C:\Program Files\QuickTime\qttask .exe
----a-w 500,224 2008-01-17 01:51:43 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w 15,360 2008-01-29 13:13:39 C:\WINDOWS\system32\ctfmon .exe
----a-w 155,648 2008-01-13 00:10:26 C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{052adc83-7b56-4561-a4e6-d41652f5bb14}]
C:\WINDOWS\system32\tiltoxbk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3B77F4A-9837-4605-94F7-C50DDD25534C}]
2008-01-29 10:16 335872 --a------ C:\WINDOWS\system32\awvvt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\DOCUME~1\John\MYDOCU~1\Programs\NORTON~1\navapw32.exe" [ ]
"Zone Labs Client"="C:\DOCUME~1\John\MYDOCU~1\Programs\ZONEAL~1\ZONEAL~1\zlclient.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"SM_IAN"="C:\Program Files\AdvancedCleaner Free\ian_monitor .exe" [2008-01-29 10:16 581632]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe" [2008-01-16 20:51 500224]
"a4b7127f"="C:\WINDOWS\system32\tonhfjls.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-08-11 16:04 11496 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvwxy]
vtuvwxy.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\awvvt.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awvvt

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 06:12]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-08-11 16:04]
R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2004-08-13 19:43]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\fd_dbus.sys [2004-08-03 13:03]
S3 fd_dmdfl;FutureDial USB Modem Filter;C:\WINDOWS\system32\DRIVERS\fd_dmdfl.sys [2004-08-03 13:04]
S3 fd_dmdm;FutureDial USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\fd_dmdm.sys [2004-08-03 13:04]
S3 gkmixern;gkmixern;C:\DOCUME~1\John\LOCALS~1\Temp\gkmixern.sys []
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2001-04-25 16:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 08:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\DOCUME~1\John\MYDOCU~1\Programs\NORTON~1\NAVW32.exe
"2008-01-29 15:20:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 10:16:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SM_IAN = C:\Program Files\AdvancedCleaner Free\ian_monitor .exe?|??????????@???@????????????????|??@?????????p???????? A?3??|???|??C???@???@???????C????????|??@?????????,?????@???@?d???u)?|??@??????????)?|???|??C???@?3??|??????C???@???@?????????? A????|??????@?d??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\John\My Documents\Programs\Norton Antivrus\navapsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AdvancedCleaner Free\ian_monitor .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-01-29 10:24:09 - machine was rebooted [John]
ComboFix-quarantined-files.txt 2008-01-29 15:22:03
.
2008-01-10 08:04:47 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59, on 2008-01-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\John\My Documents\Programs\Norton Antivrus\navapsvc.exe
C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AdvancedCleaner Free\ian_monitor .exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Scan\Scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: {41bb5f25-614d-6e4a-1654-65b738cda250} - {052adc83-7b56-4561-a4e6-d41652f5bb14} - C:\WINDOWS\system32\tiltoxbk.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57FF7507-2425-49D5-8AB9-39FE3BFDC8E2} - C:\WINDOWS\system32\awvvt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NAV Agent] C:\DOCUME~1\John\MYDOCU~1\Programs\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\DOCUME~1\John\MYDOCU~1\Programs\ZONEAL~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor .exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [a4b7127f] rundll32.exe "C:\WINDOWS\system32\tonhfjls.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: vtuvwxy - vtuvwxy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Documents and Settings\John\My Documents\Programs\Norton Antivrus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4569 bytes



Redwings :)

ken545
2008-01-29, 19:56
Redwings,

This is where we are at.

Your infected with the latest variant of the Vundo Trojan that includes a File Infector :sad: What this trojan has done is infected a bunch of programs on your system. If you look back in your Combofix log in the Blue Code Box All those programs have been infected. We are going to attempt to clean them, it may take a few passes so just hang in.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::



File::
C:\WINDOWS\system32\awvvt.dll
C:\PerformanceOptimizerPre_Installer.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\mrofinu11.exe.tmp

Folder::
C:\Program Files\AdvancedCleaner Free

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{052adc83-7b56-4561-a4e6-d41652f5bb14}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3B77F4A-9837-4605-94F7-C50DDD25534C}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

RenV::
----a-w 75,384 2008-01-28 01:39:02 C:\Documents and Settings\John\My Documents\Programs\Norton Antivrus\navapw32 .exe
----a-w 693,520 2008-01-28 01:39:04 C:\Documents and Settings\John\My Documents\Programs\Zone Alarm\ZoneAlarm\zlclient .exe
----a-w 57,344 2008-01-12 05:06:52 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w 66,672 2008-01-17 01:51:57 C:\Program Files\AIM\aim .exe
----a-w 344,064 2008-01-04 20:39:42 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 256,576 2008-01-28 01:39:04 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 36,975 2008-01-11 15:19:18 C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w 303,856 2008-01-28 01:39:04 C:\Program Files\LogMeIn\LogMeInSystray .exe
----a-w 5,354,792 2007-12-31 13:05:11 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 282,624 2008-01-11 15:19:23 C:\Program Files\QuickTime\qttask .exe
----a-w 500,224 2008-01-17 01:51:43 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w 15,360 2008-01-29 13:13:39 C:\WINDOWS\system32\ctfmon .exe
----a-w 155,648 2008-01-13 00:10:26 C:\WINDOWS\system32\NeroCheck .exe



Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


You also have a file that Combofix picked up that I have no idea what it is, we will address that when we finish here.

ken545
2008-01-30, 00:34
Redwings,

You are being helped over at Whatthetech so you can continue there.

Ken

tashi
2008-01-30, 00:52
http://forums.whatthetech.com/vundo_t88004.html