Trojan.Vundo Already tried Vundo fix and continues to re-surface after removal

**ridiculous** · 2007-03-25, 05:57

I have gone through the pre-requisites on this forum to the tee and although things are somewhat better (before I could not even run HJT) I can now at least get around a bit on my computer I am still having an issue. Essentially my computer continues to find the Trojan.Vundo among other things. Because I have TeaTimer running it gets into this endless loop where it is trying to make registry changes and I keep clicking deny. I will post my most recent HJT log below.

I have been battling with this issue for about 3 days now and it is exhausting, thank you so much in advance for any assistance. Oh, also I have run the VundoFix, The Look2Me Fix (found nothing), the ATF Cleaner for both Firefox and IE, SuperAntiSpyware, and Dr. CureIt. As well as Spybot, Adware, and Symantec Corporate (I can post additional logs or details on these as well)

[START LOG]

Logfile of HijackThis v1.99.1
Scan saved at 6:36:14 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Documents and Settings\HP_Administrator\Desktop\hjt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.kidrobot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
O2 - BHO: (no name) - {0A3F58BD-5742-4643-A772-B5398BDB7C0B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141056973156
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChatEnu/TLIEFlash.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUni...ck_1_0_0_4.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUni..._15_Silent.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing)

[END LOG]

**pskelley** · 2007-03-25, 22:15

Welcome to the forum, you are infected and I am 99.9% sure it is Vundo:
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll
O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll

Before we start, let me explain a couple of things, hackers call their junk anything they want and the fix we will use can't know all of these possible names. It may not know all of the files the first time (and there is probably hidden junk you can't see) but it will learn. I have seen it take as much as 6 or 8 runs to remove it all. You want to watch the report and you are successful when all Vundo files report as "has been deleted"

Next, programs you are running may try to prevent the changes we must make, they need to be turned of before you run the fix.

Tea Timer: http://russelltexas.com/malware/teatimer.htm

SUPERAntiSpyware: Please disable SuperAntispyware. Right-click on the shortcut from the
system tray, choose View Control Center (preferences/options), on the General and Startup tab, uncheck, Start SUPERAntispyware when Windows starts, click Close to exit.

Delete all versions of Vundofix you may have on your computer and follow these instructions.

Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe to your Desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks

**ridiculous** · 2007-03-26, 03:43

Thank you so much for assisting me. I have disabled both tea timer and super anti spyware, and downloaded the latest vundofix. It found 2 items and I did as you said. The HJT log and vundo text file are posted below.

Thank you.

[START VUNDO TEXT]

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 5:52:36 PM 3/22/2007

Listing files found while scanning....

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 6:06:44 PM 3/22/2007

Listing files found while scanning....

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 6:21:55 PM 3/22/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:26:40 PM 3/22/2007

Listing files found while scanning....

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:42:39 PM 3/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\awvvt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 8:29:30 PM 3/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\vtsqq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsqq.dll Has been deleted!

Performing Repairs to the registry.
Done!

[END VUNDO TEXT]

[START HJT LOG]

Logfile of HijackThis v1.99.1
Scan saved at 8:40:25 PM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Desktop\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.kidrobot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141056973156
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChatEnu/TLIEFlash.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUni...ck_1_0_0_4.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUni..._15_Silent.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing)

[END HJT LOG]

**pskelley** · 2007-03-26, 12:02

Thanks for returning your information and Vundofix did locate and remove some of the junk, but it did not get the files I highlited in red. Try the fix again, look at this French forum, though it is a little hard to understand, scroll down to this post:

Posté le 02/03/2007 16:42:56 <<< this one and you will see where the fix deletes the file you have showing in your BHO's and Winlogon.

http://forum.telecharger.01net.com/t...essages-1.html
Attempting to delete C:\WINNT\system32\urqpnll.dll
C:\WINNT\system32\urqpnll.dll Has been deleted!

C:\WINDOWS\system32\urqpnll.dll <<< on your computer

Run the fix and watch for it to remove that Vundo file. Post that report and a HJT log.

Thanks

**ridiculous** · 2007-03-26, 17:51

Well I have run the Vundo fix about 10 times now and each time it will remove 3 files, all 3 always have the same extension but different random names. My Symantec is also popping up something called InfoStealer now. When I disable my Anti-virus software then the Vundo fix doesnt find anything, but when it is enabled it does. Do I need to stop any of those files from loading from within HJT? I will post two new logs here in a few minutes.

Thank you again so much for your help.

**ridiculous** · 2007-03-26, 17:54

[START HJT LOG]

Logfile of HijackThis v1.99.1
Scan saved at 10:52:17 AM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Documents and Settings\HP_Administrator\Desktop\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.kidrobot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\system32\urqpnll.dll
O2 - BHO: (no name) - {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} - C:\WINDOWS\system32\jkklk.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141056973156
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChatEnu/TLIEFlash.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUni...ck_1_0_0_4.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUni..._15_Silent.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: urqpnll - C:\WINDOWS\SYSTEM32\urqpnll.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing)

[END HJT LOG]

[START VUNDO TEXT]

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 9:01:09 AM 3/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 9:13:20 AM 3/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\jkhhh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkhhh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 9:27:38 AM 3/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\gebcc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gebcc.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 9:41:18 AM 3/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\pmkhi.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 9:55:09 AM 3/26/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:09:11 AM 3/26/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:16:32 AM 3/26/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:20:23 AM 3/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:30:00 AM 3/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jkklk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:41:27 AM 3/26/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:49:25 AM 3/26/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

[END VUNDO FIX]

**pskelley** · 2007-03-26, 18:31

Let's try another tool, though you could see that file was removed by this tool at the French forum? I will assume you followed the directions to upload the file.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Do you ever wonder what you pay Symantec for? Not only does it not stop the junk to start with, but then it can't remove it.

Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/to...undoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated

This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process.
Do not be concerned.
Just reboot if your system "jams".

To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop.

Thanks

**ridiculous** · 2007-03-26, 19:00

Yes Symantec obviously doesnt work, do you have a better anti-virus program that you can recommend that I run in unison with Spybot?

I uploaded the malware file and all information:

"Your file (urqpnll.dll) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file."

I am trying the next application now. WIll post log in a few minutes.

Thank you.

**ridiculous** · 2007-03-26, 19:05

It looks like it found something. Here is the log:

[03/26/2007, 12:01:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 12:01:25] - Detected System Information:
[03/26/2007, 12:01:25] - Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 12:01:25] - Current Username: HP_Administrator (Admin)
[03/26/2007, 12:01:25] - Windows is in NORMAL mode.
[03/26/2007, 12:01:25] - Searching for Browser Helper Objects:
[03/26/2007, 12:01:25] - BHO 1: {7A5C6872-78F2-4B24-BD41-A5C18170D55F} ()
[03/26/2007, 12:01:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 12:01:25] - Checking for HKLM\...\Winlogon\Notify\urqpnll
[03/26/2007, 12:01:25] - Found: HKLM\...\Winlogon\Notify\urqpnll - This is probably Virtumundo.
[03/26/2007, 12:01:25] - Assigning {7A5C6872-78F2-4B24-BD41-A5C18170D55F} MSEvents Object
[03/26/2007, 12:01:25] - BHO list has been changed! Starting over...
[03/26/2007, 12:01:25] - BHO 1: {7A5C6872-78F2-4B24-BD41-A5C18170D55F} (MSEvents Object)
[03/26/2007, 12:01:25] - ALERT: Found MSEvents Object!
[03/26/2007, 12:01:25] - BHO 2: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} ()
[03/26/2007, 12:01:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 12:01:25] - Checking for HKLM\...\Winlogon\Notify\jkklk
[03/26/2007, 12:01:25] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[03/26/2007, 12:01:25] - Finished Searching Browser Helper Objects
[03/26/2007, 12:01:25] - *** Detected MSEvents Object
[03/26/2007, 12:01:25] - Trying to remove MSEvents Object...
[03/26/2007, 12:01:26] - Terminating Process: IEXPLORE.EXE
[03/26/2007, 12:01:26] - Terminating Process: RUNDLL32.EXE
[03/26/2007, 12:01:26] - Disabling Automatic Shell Restart
[03/26/2007, 12:01:26] - Terminating Process: EXPLORER.EXE
[03/26/2007, 12:01:27] - Suspending the NT Session Manager System Service
[03/26/2007, 12:01:27] - Terminating Windows NT Logon/Logoff Manager
[03/26/2007, 12:01:27] - Re-enabling Automatic Shell Restart
[03/26/2007, 12:01:27] - File to disable: C:\WINDOWS\system32\urqpnll.dll
[03/26/2007, 12:01:27] - Renaming C:\WINDOWS\system32\urqpnll.dll -> C:\WINDOWS\system32\urqpnll.dll.vir
[03/26/2007, 12:01:27] - File successfully renamed!
[03/26/2007, 12:01:27] - Removing HKLM\...\Browser Helper Objects\{7A5C6872-78F2-4B24-BD41-A5C18170D55F}
[03/26/2007, 12:01:27] - Removing HKCR\CLSID\{7A5C6872-78F2-4B24-BD41-A5C18170D55F}
[03/26/2007, 12:01:27] - Adding Kill Bit for ActiveX for GUID: {7A5C6872-78F2-4B24-BD41-A5C18170D55F}
[03/26/2007, 12:01:27] - Deleting ATLEvents/MSEvents Registry entries
[03/26/2007, 12:01:27] - Removing HKLM\...\Winlogon\Notify\urqpnll
[03/26/2007, 12:01:27] - Searching for Browser Helper Objects:
[03/26/2007, 12:01:27] - BHO 1: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} ()
[03/26/2007, 12:01:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 12:01:27] - Checking for HKLM\...\Winlogon\Notify\jkklk
[03/26/2007, 12:01:27] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[03/26/2007, 12:01:27] - Finished Searching Browser Helper Objects
[03/26/2007, 12:01:27] - Finishing up...
[03/26/2007, 12:01:27] - A restart is needed.
[03/26/2007, 12:01:36] - Attempting to Restart via STOP error (Blue Screen!)

[03/26/2007, 12:04:14] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 12:04:16] - Detected System Information:
[03/26/2007, 12:04:16] - Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 12:04:16] - Current Username: HP_Administrator (Admin)
[03/26/2007, 12:04:16] - Windows is in NORMAL mode.
[03/26/2007, 12:04:16] - Searching for Browser Helper Objects:
[03/26/2007, 12:04:16] - BHO 1: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} ()
[03/26/2007, 12:04:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 12:04:16] - Checking for HKLM\...\Winlogon\Notify\jkklk
[03/26/2007, 12:04:16] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[03/26/2007, 12:04:16] - Finished Searching Browser Helper Objects
[03/26/2007, 12:04:16] - Finishing up...
[03/26/2007, 12:04:16] - Nothing found! Exiting...

[03/26/2007, 12:04:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 12:04:32] - Detected System Information:
[03/26/2007, 12:04:32] - Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 12:04:32] - Current Username: HP_Administrator (Admin)
[03/26/2007, 12:04:32] - Windows is in NORMAL mode.
[03/26/2007, 12:04:32] - Searching for Browser Helper Objects:
[03/26/2007, 12:04:32] - BHO 1: {D5AAE126-5454-47EA-9C7B-FCC32262DE6F} ()
[03/26/2007, 12:04:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 12:04:32] - Checking for HKLM\...\Winlogon\Notify\jkklk
[03/26/2007, 12:04:32] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[03/26/2007, 12:04:32] - Finished Searching Browser Helper Objects
[03/26/2007, 12:04:32] - Finishing up...
[03/26/2007, 12:04:32] - Nothing found! Exiting...

**pskelley** · 2007-03-26, 19:14

I wish I could tell you what program will stop the junk, but the hackers are making lots of $$$ and all they have to do is count the $$$ and figure ways to beat your security. Governments don't seem to be able to do anything either. I use McAfee but it is getting a bad as Symantec, their new program is hugh and I took away my CC number, and will go with freeware. Though when all is said an done, that infection probably got onboard as a results of a bad script you picked up at a website you would never have thought it of. Here's what I mean:
http://www.networkworld.com/news/200...-unravels.html
http://www.revenews.com/wayneporter/...l_network_now/

What is being said:
http://anti-virus-software-review.toptenreviews.com/
http://www.consumersearch.com/www/so...e/reviews.html
http://www.zdnet.com.au/news/securit...9263949,00.htm

Thread: Trojan.Vundo Already tried Vundo fix and continues to re-surface after removal

Thread Tools

Display

Trojan.Vundo Already tried Vundo fix and continues to re-surface after removal

Posting Permissions