Vundo / Vitrimundo Infection

**collinzm** · 2009-03-10, 05:19

The only symptoms that I am experiencing now are the google search result redirects.

We reset the factory default settings on our router and got it back up and running.

This whole thing started when I clicked on a supposed link in a chat window on a side bar on the site JustinTV to watch a live stream on a Portland Trailblazers basketball game. AVG popped up with a virus and I started trying to combat it by running Spybot etc.

I am not sure if this matters or not but one thing I did in the advanced settings tools in spybot was disable some of the system startup items. I believe one came up on a virus scan: prunnet. This still shows up on the system startup list but I disabled it.

See system startup list from Spybot, HJT log and Gmer logs below:

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2007-04-04 unins000.exe (51.41.0.0)
2009-03-01 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-01-22 Includes\Adware.sbi
2009-01-22 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-01-06 Includes\Dialer.sbi
2009-01-22 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-02-10 Includes\Hijackers.sbi
2009-02-10 Includes\HijackersC.sbi
2008-12-09 Includes\Keyloggers.sbi
2009-02-17 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-02-24 Includes\Malware.sbi
2009-02-24 Includes\MalwareC.sbi
2008-12-16 Includes\PUPS.sbi
2009-02-24 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-02-10 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-01-28 Includes\Spyware.sbi
2009-01-28 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2009-02-24 Includes\Trojans.sbi
2009-02-24 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 34672
MD5: 69B16C7B7746BA5C642FC05B3561FC73

Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1601304
MD5: 1FC8B35E97123A9DF64F092DA8784E4C

Located: HK_LM:Run, CTSysVol
command: C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
file: C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
size: 57344
MD5: 06DE1310E3F1EA208B3C3B3C3ADE6B55

Located: HK_LM:Run, DLA
command: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
file: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
size: 122940
MD5: CEFD0E35B35AFD9D1C2FEC9AF81AFDB8

Located: HK_LM:Run, DMXLauncher
command: C:\Program Files\Dell\Media Experience\DMXLauncher.exe
file: C:\Program Files\Dell\Media Experience\DMXLauncher.exe
size: 94208
MD5: B5121A832E03AAE75ADB37382F21B6A1

Located: HK_LM:Run, IMEKRMIG6.1
command: C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
file: C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
size: 44032
MD5: E6BB63BBE1BED01769CA87F4DAC286C8

Located: HK_LM:Run, IntelWireless
command: "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
file: C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
size: 602182
MD5: DA199948BDF65D2EF9109B60EC4621D0

Located: HK_LM:Run, IntelZeroConfig
command: "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
file: C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
size: 667718
MD5: B8C80DCCD4CE7CBF1FE8600B68418536

Located: HK_LM:Run, MBMon
command: Rundll32 CTMBHA.DLL,MBMon
file: C:\WINDOWS\system32\CTMBHA.DLL
size: 1355042
MD5: 1C461ABC23EB312B6D0CBD4D58DBF4A0

Located: HK_LM:Run, MSPY2002
command: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
file: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
size: 59392
MD5: 1B17E09C1223F6D17336D2DD7A1AF4F4

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 7557120
MD5: 05F3C17A97F53853A90611E95DF522C6

Located: HK_LM:Run, NVHotkey
command: rundll32.exe nvHotkey.dll,Start
file: C:\WINDOWS\system32\nvHotkey.dll
size: 73728
MD5: 501346DE4716A3B74029B8955D285CFB

Located: HK_LM:Run, NvMediaCenter
command: RunDLL32.exe NvMCTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\NvMCTray.dll
size: 86016
MD5: 35DF0559CD1EBF194FC5D03E9AF14B69

Located: HK_LM:Run, nwiz
command: nwiz.exe /installquiet
file: C:\WINDOWS\system32\nwiz.exe
size: 1519616
MD5: 26E351E84C6611C780DC8603DDE75225

Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024DC0F68DF5FD6AE9DD82DFBAF479D6

Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024DC0F68DF5FD6AE9DD82DFBAF479D6

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 0AB3C83FCB8EF6F56E4FB22089F0D3B9

Located: HK_LM:Run, SigmatelSysTrayApp
command: stsystra.exe
file: C:\WINDOWS\stsystra.exe
size: 282624
MD5: AD2506958DE1937C16C553C0A1BE0572

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 148888
MD5: 3237A58DC79C051004CD3A67C8FBC781

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 761947
MD5: ABB85828C394CEACACBC90373C59C529

Located: HK_LM:Run, UpdReg
command: C:\WINDOWS\UpdReg.EXE
file: C:\WINDOWS\UpdReg.EXE
size: 90112
MD5: C419DF63E0121D72411285780C2FC6CC

Located: HK_LM:Run, VoiceCenter
command: "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
file: C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
size: 1118208
MD5: 0EB3273815D81B4E58B9597B7C682FE6

Located: HK_LM:RunOnce, Uninstall getPlus(R) for Adobe
command: "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
file: C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
size: 33752
MD5: 7BEC703F31E1D441DB16886C9AA4CBA9

Located: HK_LM:Run, (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, Acrobat Assistant 7.0 (DISABLED)
command: "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
file: C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, BuildBU (DISABLED)
command: c:\dell\bldbubg.exe
file: c:\dell\bldbubg.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, dezafevopi (DISABLED)
command: Rundll32.exe "C:\WINDOWS\system32\ruludoji.dll",s
file: C:\WINDOWS\system32\ruludoji.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, IMJPMIG8.1 (DISABLED)
command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
size: 208952
MD5: 7BBE4CF421AECC7F0226EDD75F12079F

Located: HK_LM:Run, ISUSPM Startup (DISABLED)
command: "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
file: C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
size: 249856
MD5: 9E109B03018763FDCB075CE74547BE22

Located: HK_LM:Run, ISUSScheduler (DISABLED)
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: 583B7D111304BE63D7D9CB65482D2187

Located: HK_LM:Run, prunnet (DISABLED)
command: "C:\WINDOWS\system32\prunnet.exe"
file: C:\WINDOWS\system32\prunnet.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 0AB3C83FCB8EF6F56E4FB22089F0D3B9

Located: HK_CU:Run, SetDefaultMIDI
where: S-1-5-21-2722903905-2106106613-3886879620-1005...
command: MIDIDef.exe
file: C:\WINDOWS\MIDIDef.exe
size: 24576
MD5: 702A697091F0C47AF6BDAE2A35E2C248

Located: HK_CU:Run, swg
where: S-1-5-21-2722903905-2106106613-3886879620-1005...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: HK_CU:Run, updateMgr (DISABLED)
where: S-1-5-21-2722903905-2106106613-3886879620-1005...
command: "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
file: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Creative MediaSource Go
where: S-1-5-21-2722903905-2106106613-3886879620-500...
command: "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
file: C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
size: 143360
MD5: A8DA49275F7B1B884901438D2762EC2A

Located: HK_CU:Run, DellSupport
where: S-1-5-21-2722903905-2106106613-3886879620-500...
command: "C:\Program Files\Dell Support\DSAgnt.exe" /startup
file: C:\Program Files\Dell Support\DSAgnt.exe
size: 332800
MD5: A40D952C0355C85867517AA529A06741

Located: HK_CU:Run, ModemOnHold
where: S-1-5-21-2722903905-2106106613-3886879620-500...
command: C:\Program Files\NetWaiting\netWaiting.exe
file: C:\Program Files\NetWaiting\netWaiting.exe
size: 20480
MD5: 676B1D0BFA5EF8005395AB43F33DE1F1

Located: HK_CU:Run, SetDefaultMIDI
where: S-1-5-21-2722903905-2106106613-3886879620-500...
command: MIDIDef.exe
file: C:\WINDOWS\MIDIDef.exe
size: 24576
MD5: 702A697091F0C47AF6BDAE2A35E2C248

Located: Startup (common), Adobe Acrobat Speed Launcher.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
file: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), Adobe Reader Speed Launch.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), Bluetooth.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
file: C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
size: 622653
MD5: 223A18AC9E6A23D6A8B84223F3794497

Located: Startup (common), Digital Line Detect.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Digital Line Detect\DLG.exe
file: C:\Program Files\Digital Line Detect\DLG.exe
size: 24576
MD5: B66E56733E2CD6A10FDA5919625FBF46

Located: Startup (common), VPN Client.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\WINDOWS\Installer\{ED4FF7B5-2EC9-4BBF-B9C3-AA1F7ACF5E98}\Icon3E5562ED7.ico
file: C:\WINDOWS\Installer\{ED4FF7B5-2EC9-4BBF-B9C3-AA1F7ACF5E98}\Icon3E5562ED7.ico
size: 6144
MD5: 85AB6C3089BEE58999B434E114E8A64C

Located: WinLogon, avgrsstarter
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, avgrsstarter (DISABLED)
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-09 18:12:15
Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-09 20:43:28
Windows 5.1.2600 Service Pack 3

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AFBBA2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AFBBA560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AFBBA6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AFBBA450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AFBBA450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AFBBA2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AFBBA560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AFBBA6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AFBBA2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AFBBA450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AFBBA6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AFBBA560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AFBBA6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AFBBA560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AFBBA2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AFBBA450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AFBBA2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AFBBA560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AFBBA6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [AFBBA6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [AFBBA560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [AFBBA450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [AFBBA2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AFBBA2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AFBBA450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AFBBA6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AFBBA560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\Fastfat \Fat AC342D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:48 PM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1060908
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk.disabled
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10096 bytes

Thank you

**pskelley** · 2009-03-10, 09:45

Make sure you can view all files and folders:

http://www.bleepingcomputer.com/tuto...l62.html#winxp

Let's remove these, you can still set any start page you wish.
http://www.microsoft.com/windows/ie/...e7_basics.mspx

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1060908
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\ruludoji.dll <<< delete the file

C:\WINDOWS\system32\prunnet.exe <<< delete the file

Empty the Recycle Bin on the Desktop and restart the computer.

Thanks

**collinzm** · 2009-03-11, 03:28

Hi,

I completed the tasks from the previous post. The two files to delete were not in the windows32 folder (showing all hidden items) so I was unable to delete them. No change in redirects in Firefox after restart.

Internet Explorer does not seem to be having the same issues. In the past I had not ever used IE unless I had to. One of the symptoms of the original infection was the IE would open on its own, until I ran the fixes. Could this now be confined to Firefox?

The hijack in Firefox seems to be clickfraudmanager.com - This is the beginning of the redirect address when I click on a google search result.

After searching for the term clickfraudmanager.com a lot of info comes up on people having the same issue. One thing I noticed when reading up on this was running Kaspersky online with windows IE only? I ran my scan previously with Firefox.

Not sure what the next step is. I don't want to go off trying every "fix" I find online. Your guidance on where to go from here (if any) is appreciated.

Thanks,
Collin

**pskelley** · 2009-03-11, 12:50

OK, getting me confused no talking about Internet Explorer and Firefox when I am thinking the only issues is Google? Please tell me exactly what the issue is we are trying to correct and when it is happening.

Could this now be confined to Firefox?

Certainly, malware could have added something to Firefox, look here:
Click on Tools -> Add-ons
You have two options - to Disable or to Uninstall
Uninstalling add-ons take effect when you restart Firefox
(look at all four tabs for anything that should not be there)

Not sure what the next step is. I don't want to go off trying every "fix" I find online. Your guidance on where to go from here (if any) is appreciated.

Nor am I, having never had this issue, I know nothing more than you do about it. To troubleshoot the issue, you will be doing just that, trying things others have tried.

FIREFOX POLICIES <<< for instance, look at this area in the combofix log. I have been using combofix a long time and I have never seen all of those addresses like that in a log and have no idea why they are there. You might want to uninstall Mozilla Firefox completely from the computer, restart, then download it again and try it out of the box to see how it runs.
http://www.mozilla.com/en-US/firefox/

Thanks

**collinzm** · 2009-03-12, 15:14

I apologize for the confusion. Up until recently I had not been checking IE for malicious activity. After testing search results from google and other search engines in IE I found that it did not have the same redirecting hijack as Firefox.

I checked out the add-ons in Firefox and nothing seemed to be unusual so I took your advice and uninstalled completely, erased all leftover Firefox folders and restarted. I then downloaded a fresh copy of Firefox using IE and reinstalled. This seems to have fixed the problem. Search results no longer redirect through "clickfraudmanager.com..." and there have been no other symptoms.

Thanks again for your help. Let me know if there is anything I need to do to wrap up the help session.

**pskelley** · 2009-03-12, 16:29

Thanks for that feedback, I appreciate the information. Let's wrap up like this...

Here is some good AVG information if you can use it:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/
http://russelltexas.com/tutorials/avg8install.htm

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update AVG8 and scan the system, to be sure it is running right and scanning clean.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/m...oes/Links.html
http://www.microsoft.com/windows/ie/...rotection.mspx

**collinzm** · 2009-03-17, 15:25

All is well with the computer. I really appreciate the help! Cheers to you and the others who volunteer their time to help people out.

-Collin

**pskelley** · 2009-03-17, 15:45

Thanks for taking the time to let me know

safe surfing.

Thread: Vundo / Vitrimundo Infection

Thread Tools

Display

Posting Permissions