Need help with vundo kill shot!

Status
Not open for further replies.
R

Reck325

New member
I was recently infected with vundo. I have followed the directions mentioned in the "Before the Post", the kaspersky scan, S&D, and HJT. The Kaspersky and HJT logs are below.

KASPERSKY ONLINE SCANNER REPORT
Thursday, November 15, 2007 12:38:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/11/2007
Kaspersky Anti-Virus database records: 459914
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 42765
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:00:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-091652.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00800000.VBN Infected: Trojan-Downloader.Win32.Agent.dxj skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DB905A98-4D1D-4345-A9F7-AD820A22675F} Object is locked skipped
C:\Documents and Settings\ship\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\History\History.IE5\MSHist012007111520071116\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\3M50YL32\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\EBFEO2OM\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP2\A0000063.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP3\A0000079.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP3\change.log Object is locked skipped
C:\VundoFix Backups\oxpwmkwb.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\zzyyyykt.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{53C9122A-1999-4A5A-A008-2B2508F37345}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\aavdwltr.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cbvxsxnu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\esaxxsvc.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mllml.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apq skipped
C:\WINDOWS\system32\smpqiomq.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

HJT log to follow.
 
HJT Log

Not sure if it is relevent but when completing the S&D scans as noted it took 2 manual scans in safe mode and 2 auto scans at restart for S&D to fully remove items including Directtrack, Hitbox, Virumonde.generic, and Virtumonde.

Here is the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:19 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe "C:\WINDOWS\system32\cbvxsxnu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6442 bytes

Any help would be greatly appreciated! :bigthumb:
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Thanks for posting the correct information, this looks like a Vundo infection at least and it gets harder and harder to remove so don't expect easy. If you wish to proceed, the junk will download more so stay offline until you are clean except when troubleshooting. Read and follow the directions in the posted order.

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ << BADLY out of date and likely why you are infected. Download the newest version and uninstall all old versions in Add Remove programs.


1) System Configuration Utility (MSConfig) is in Selective Startup mode, return it to Normal Mode until we are finish.

2) Spyware programs will compromise the tools we need to run, turn these three off until we are finished.

A: TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

B: AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

C: We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

3) Kaspersky scan indicates the possible presence of Smitfraudfix and Vundofix. Remove both programs from your computer. We will use Vundofix, but I need the newest version from the link I provide.

4) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.

5) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix report, combofix log and a new HJT log

Thanks
 
Vundofix/Combofix problems

Well Phil, I have completed all of the steps UP TO the running of combofix. I ran Vundofix, removed what was listed, VF said it needed to finish on reboot. On reboot I again removed the one left over file, VF again said it would need to restart. On that restart VF opened but the file was not listed. I pressed remove and got a prompt that there were no files to delete and VF would close and return to windows. I downloaded Combofix (from both links supplied) and both opened, prepared to run, and a seperate window opened with the header "Abort-07-11-08.1" and message "Current date is 2007-11-19. Copy of Combofix is expired. Please download an updated copy" after pressing ok or X another window opens saying that "Combofix has been uninstalled." Also I ran VF again and it once again found that pesky file (c/windows/system32/iifggge.dll) and went throught the same process as i listed above. Please advise on what i should do next. Thanks.
 
Thanks for the feedback, I apologize for the issues with combofix. The whole world is waiting for that tool to be running again, I will know when the creator has it working, in the meantime we will do our best without it.
The problem is so many of the Vundo files are hidden and combofix digs them out for us. You may remove combofix from your computer. Post the report from Vundofix, a new HJT log and any feedback you think will help.

Thanks...Phil
 
I was not aware that Vundofix kept a log. I was never asked to save any files. Do you know where it would be kept? Anyway, here is the latest HJT log. Hope it helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:46, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe "C:\WINDOWS\system32\cbvxsxnu.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6502 bytes

Also, Symantec is installed here and nothing was mentioned about unloading its service or changing any settings in your posts. After running the VF a notice appeared about a quarantine of virus name"Downloader.MisleadAPP" located in a temp folder. There also is a message along the lines of a file not being located upon start up. I believe this to be one of the several files removed by VF but i did not write the name down. I can do this if necessary. Thanks for the help.:bigthumb:
 
Look on the C:\ for Vundofix.txt.
Also, Symantec is installed here and nothing was mentioned about unloading its service or changing any settings in your posts.
Click to expand...
I am not sure what you are saying or asking here? I would assume if Symantec could have done anything about this infection, you would have used it to clean the infection and had no need to post here? I do not use Symantec and never have, I can supply a link to Symantec technical support if you need it?

Thanks
 
Symantec

You mentioned that I should halt some of the operations of AVG, S&D, and Window Defender but mentioned nothing of halting any part of Symantec. I just wanted to be sure that Symantec was not overlooked. I will check for the VF log as well. :)
 
Vundofix log

Here is the VF log and thanks for the above link, I see that Symantec is not on that list.

VundoFix V6.6.1

Checking Java version...

Scan started at 1:09:57 PM 11/14/2007

Listing files found while scanning....

C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll

Beginning removal...

Beginning removal...

VundoFix V6.6.1

Checking Java version...

Scan started at 1:43:52 PM 11/14/2007

Listing files found while scanning....

C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll

Beginning removal...

Attempting to delete C:\windows\system32\oxpwmkwb.dll
C:\windows\system32\oxpwmkwb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zzyyyykt.dll
C:\WINDOWS\system32\zzyyyykt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 9:24:45 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\aavdwltr.dll
C:\windows\system32\iifggge.dll
C:\windows\system32\ssqrrro.dll
C:\windows\system32\zzyyyykt.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\aavdwltr.dll
C:\windows\system32\aavdwltr.dll Has been deleted!

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Attempting to delete C:\windows\system32\ssqrrro.dll
C:\windows\system32\ssqrrro.dll Has been deleted!

Attempting to delete C:\windows\system32\zzyyyykt.dllbox
C:\windows\system32\zzyyyykt.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 9:42:19 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 10:20:35 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 10:56:55 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 12:46:43 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 13:20:56 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 14:02:52 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 14:41:00 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...
 
Thanks for returning the information and the feedback, this one is giving us trouble:
Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted
Click to expand...
So we have that issue to contend with. I also want you to know the forum software is not working right today, if you have problems posting, etc, that is why. You can wait a few hours, I have notified management.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Make sure you are using the new version 6.6.2
Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.

These are the files you need to add:
C:\windows\system32\iifggge.dll
C:\WINDOWS\system32\cbvxsxnu.dll

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe "C:\WINDOWS\system32\cbvxsxnu.dll",b
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\cbvxsxnu.dll <<< delete that file

C:\windows\system32\iifggge.dll <<< delete that file

We are trying to kill the really bad files in several ways. If you have problems use this tool and instructions:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post the Vundofix.txt, new HJT log and some feedback.

Thanks
 
I have completed the above steps but am still having a problem with the iifggge.dll file. Vundo says it needs to delete on restart, restarts the computer, says this same thing again, restarts, and opens to show no files to remove. I typed the iifggge.dll file in and went through the same process. The removal process seems to go in circles with this darn thing. Anyway, the VF log and new HJT logs are below.

VundoFix V6.6.1

Checking Java version...

Scan started at 1:09:57 PM 11/14/2007

Listing files found while scanning....

C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll

Beginning removal...

Beginning removal...

VundoFix V6.6.1

Checking Java version...

Scan started at 1:43:52 PM 11/14/2007

Listing files found while scanning....

C:\windows\system32\oxpwmkwb.dll
C:\WINDOWS\system32\zzyyyykt.dll

Beginning removal...

Attempting to delete C:\windows\system32\oxpwmkwb.dll
C:\windows\system32\oxpwmkwb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zzyyyykt.dll
C:\WINDOWS\system32\zzyyyykt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 9:24:45 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\aavdwltr.dll
C:\windows\system32\iifggge.dll
C:\windows\system32\ssqrrro.dll
C:\windows\system32\zzyyyykt.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\aavdwltr.dll
C:\windows\system32\aavdwltr.dll Has been deleted!

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Attempting to delete C:\windows\system32\ssqrrro.dll
C:\windows\system32\ssqrrro.dll Has been deleted!

Attempting to delete C:\windows\system32\zzyyyykt.dllbox
C:\windows\system32\zzyyyykt.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 9:42:19 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 10:20:35 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 10:56:55 AM 11/19/2007

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 12:46:43 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 13:20:56 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 14:02:52 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 14:41:00 2007-11-19

Listing files found while scanning....

C:\windows\system32\iifggge.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifggge.dll
C:\windows\system32\iifggge.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\IIFGGGE.DLL
C:\WINDOWS\SYSTEM32\IIFGGGE.DLL Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\IIFGGGE.DLL
C:\WINDOWS\SYSTEM32\IIFGGGE.DLL Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...
 
New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6351 bytes

I noticed that there are several dates in the VF log. Does VF just keep adding to the text file each time it scans? If so, i noticed that there is no scan information with todays (11-20-07) date on it and a search of the computer does not yield any more VF log files anywhere. Also, when attempting step 5 above the cbvxsxnu.dll file was not there and a search for it came up empty. When i tried to delete the iifggge.dll file i got a message similar to "Cannot delete iifggge: Access denied. Make sure the disk is not full or write protected or file is not in use." This may be dumb but would renaming it be of use?:scratch:
 
Yep, this infection has gotten very, very hard to remove. We may never get it all, but let's don't give up yet. The first thing I see is an old version of Vundofix here:
Today, 13:27 >> VundoFix V6.6.1

Would you please make sure the ONLY version you have on your computer is V6.6.2.
I noticed that there are several dates in the VF log.
Click to expand...
Right, that is what I said above, be positive you only have the one version on the computer. If you followed directions it would be here: "Download VundoFix" to your Desktop
This may be dumb but would renaming it be of use?
Click to expand...
You may use any method you know of to remove the junk, everyone is learning this infection as it is being removed and there are countless folks infected. You can also try this:
http://support.microsoft.com/kb/308421
Just let me know what method works for the next infected member.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:18, on 2007-11-20
I see no malware in this HJT log. It may be one of the methods we used killed it. Let's have Kaspersky take a look to see what is there HJT can't see.

First, looking at this scan: KASPERSKY ONLINE SCANNER REPORT Thursday, November 15, 2007 12:38:33 PM

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of your AV's quarantine folder.

C:\Documents and Settings\ship\Desktop\Removal Tools\SmitfraudFix\SmitfraudFix\ <<< delete Smitfraudfix completely from your computer

C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\ <<< delete the contents of that TIF folder

C:\VundoFix Backups\ <<< delete that folder, make sure there is no folder from the new version. Keep just the executable on the Desktop in case we need to run it again.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

(please use these setting for the scan)

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Add any comments you think will help.

Thanks...Phil
 
Update

Just a quick update/FYI - In an attempt to remove that pesky iifggge.dll file I renamed it to iie.dll and tried to delete it. This did not work so I followed the link you supplied and made sure that I had control/rights to it. Again, this did not work so I did a restart in safemode and, luckily, this DID work. I was able to find and delete this file. On restart i tried to locate it and did a search for the file and it was not found. Curiosity got the best of me and i ran VF which came up with nothing.:bigthumb: I will move on to the next step, Kaspersky, and report what i find as soon as i can. Thanks for the help so far.
 
Kaspersky Scan

After completing the rest of the instructions you provided I ran the Kaspersky online scan and got bad news :sad:. The scan returned two issues both having to do with "Trojan.Win32.Obfuscated". The log is posted below.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-21 10:24
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/11/2007
Kaspersky Anti-Virus database records: 433848
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 42472
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:56:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-091652.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ship\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46733.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46734.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46735.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46736.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46737.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46738.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46739.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46740.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46741.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46743.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46744.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46745.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46746.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46747.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46748.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\jar_cache46749.tmp Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temp\toolbox_healer46742.log Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ship\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ship\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B906308C-E7CF-4D81-A411-C1573A628241}\RP16\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{98E82034-64EB-4759-9E1F-3E417E7A03FE}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\esaxxsvc.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jkjklbst.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

I don't think i mentioned that there were two icons added to the desktop, "Online Security Guide" and another "Live Safety Center". I deleted these icons before the Kaspersky scan. When I hooked the computer back online and started IE another window opened to some search page (or something along these lines) which I promptly closed. Also, Symantec raised a notification window that Trojan.Vundo was around. Please let me know our next step. Thanks.
 
Thanks for returning your scan results.
KASPERSKY ONLINE SCANNER REPORT 2007-11-21 10:24

Delete the files in red, empty the Reccycle Bin and scan again, it should be clean.

C:\WINDOWS\system32\jkjklbst.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\esaxxsvc.exe Infected: Trojan.Win32.Obfuscated.kp skipped

You need to understand also, how easy it is to get infected or even reinfected, see this:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
Thousands snared by malware warning from big-name websites
http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/

tashi has pinned very important information at the top of this forum, you should review it all.

I'll post this information for you now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Update

I ran HJT and found a file almost identical to the one removed during post #12 "O4 - HKLM\..\Run: [6c9e2ecd] rundll32.exe C:\WINDOWS\system32\cbvxsxnu.dll",b" (i am unsure of how to quote a previous post). I had HJT fix that issue and ran VF which found nothing. I am running AVG to see what it says now. At this point it has found "Trojan.Agent.aoy" and "Downloader.Tiny.id" but is still scanning.
 
Status
Not open for further replies.
Back
Top