As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

Trojan problem, Vundo?

DeMoNDeMoN twitch.tv/toxic_cizzleRegistered User regular
edited November 2008 in Help / Advice Forum
So everyday Windows Defender keeps picking up this Vundo trojan. Everyday it comes back.

I scan with Ad-Aware and it finds nothing.
I scan with Avira and it finds nothing.
I even downloaded something called Vundo Fix and it finds nothing.

It just keeps getting caught by Windows Defender and I don't know how to get rid of it.

Steam id : Toxic Cizzle
*TyCart*_banner.jpg
DeMoN on

Posts

  • ShadeShade Registered User regular
    edited November 2008
    windows defender is crap. Grab a trial of Kaperski and then see what comes up. Throw Ewido at it just to make sure.

    Shade on
  • Zombie NirvanaZombie Nirvana Registered User regular
    edited November 2008
    That's a tough one that I think most scanners will not be able to clean. If I remember correct you have to turn off system restore functionality because it hides in there. Then run a vundo fix. Search around on google, it was pretty popular a year or two ago. My parents ended up with it on their system, but we managed to get it off eventually.

    Zombie Nirvana on
  • finalflight89finalflight89 Registered User regular
    edited November 2008
    You really should run VundoFix in safe mode, did you do that? I had Vundo awhile back and it took probably 5 scans to fully remove it (and some manual file deletions by me).

    finalflight89 on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    Sorry, how do I run Windows XP in safe mode?

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • TopweaselTopweasel Registered User regular
    edited November 2008
    Just before XP is supposed to start loading hit f8. A menu should come up. I usually just tap f8 routinely after power on just to make sure I don't miss it.

    Topweasel on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    When I do that it doesn't give me an option for safe mode, just 4 different thing to boot from, one of them was a floppy drive, and the other 3 were different hard drives I believe.

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • RuckusRuckus Registered User regular
    edited November 2008
    you're F8ing too soon, but you could choose your appropriate boot harddrive and start hitting F8 again from that boot device chooser.

    Ruckus on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    All right, I'll try again.

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    Ug, I tried scanning with a few things in safe mode, didn't find anything, but I'm still getting popups when using firefox.

    Mainly for 2greatfind.com

    Any suggestions for other scanning software?

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • saggiosaggio Registered User regular
    edited November 2008
    This will solve your problems.

    saggio on
    3DS: 0232-9436-6893
  • finalflight89finalflight89 Registered User regular
    edited November 2008
    saggio wrote: »
    This will solve your problems.
    Funny...

    Another thing you should try is running HiJackThis: http://www.download.com/HijackThis/3000-2356_4-51358.html?tag=mncol&cdlPid=529010

    Run the scan, and save a log file. Copy the log file here and take let me take a look at it. Don't check any boxes and remove anything, most of the things on the list shouldn't be removed. I'll look for whatever looks bad and tell you to remove those.

    finalflight89 on
  • DrFrylockDrFrylock Registered User regular
    edited November 2008
    Virtumondo/Vundo is pretty nasty. HijackThis may or may not get rid of it. I'm surprised that VundoFix didn't work.

    You can try:

    MalwareBytes Anti-Malware. This one has a chance of helping you.

    The nuclear option is to use ComboFix. ComboFix will scrape off just about everything but apparently there's a small danger it will do too much and you won't be able to boot. However, it has saved the ass of me and many relatives MANY times.

    Incidentally, I love when people recommend Ad-Aware and SpyBot against Vundo/Virtumondo and the like. For ordinary tracking cookies and Gator and shit, these tools are fine, but Vundo and its friends are about 100x meaner and nastier than Ad-Aware or SpyBot or any ordinary anti-virus. ComboFix works much better because it basically kills every process on your system that isn't absolutely required to run (including ones you can't generally kill), and then it begins scraping things out of the registry, off your hard drive, fixing infected device drivers, and so on. Then it marks a bunch of shit it can't delete to be deleted on reboot before the OS gets going.

    DrFrylock on
  • TrowizillaTrowizilla Registered User regular
    edited November 2008
    I'm having a hard time killing a Vundo variant as well. VundoFix found absolutely nothing, even from safe mode, but these stupid randomly-named files keep spawning and I keep getting popups.

    Weirdest thing is that, when I go to try to delete the files, they don't show up. HijackThis sees them, though. :( If it's okay, I'll post my Hijack This file in here too. Just don't want to steal DeMoN's thread.

    Trowizilla on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    Nah, it's fine.

    I'll try posting a log later today.

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • TrowizillaTrowizilla Registered User regular
    edited November 2008
    Here goes! I marked the stuff I'm pretty sure is a problem with asterixes.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:25, on 2008-11-25
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Pidgin\pidgin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\SYSTEM32\FREECELL.EXE
    C:\WINDOWS\SYSTEM32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    * O2 - BHO: (no name) - {d1500808-2741-4aa2-93a3-92bf75d23155} - C:\WINDOWS\system32\sazujimo.dll (file missing)
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    * O4 - HKLM\..\Run: [CPM7b871786] Rundll32.exe "c:\windows\system32\teyunufa.dll",a
    * O4 - HKLM\..\Run: [gitafadure] Rundll32.exe "C:\WINDOWS\system32\sonusoya.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    * O4 - HKUS\S-1-5-19\..\Run: [gitafadure] Rundll32.exe "C:\WINDOWS\system32\sonusoya.dll",s (User 'LOCAL SERVICE')
    * O4 - HKUS\S-1-5-20\..\Run: [gitafadure] Rundll32.exe "C:\WINDOWS\system32\sonusoya.dll",s (User 'NETWORK SERVICE')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: !SASWinLogon - F:\SASWINLO.DLL
    * O20 - Winlogon Notify: c00D1F68 - c00D1F68.mat (file missing)
    * O20 - Winlogon Notify: sys32 - sys32.dll (file missing)
    * O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\teyunufa.dll
    * O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\teyunufa.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    Trowizilla on
  • TopweaselTopweasel Registered User regular
    edited November 2008
    DeMoN wrote: »
    When I do that it doesn't give me an option for safe mode, just 4 different thing to boot from, one of them was a floppy drive, and the other 3 were different hard drives I believe.

    Sorry about that usually a mobo has the boot selector set for esc or f12.

    Topweasel on
  • TomantaTomanta Registered User regular
    edited November 2008
    I spent 3 or 4 days trying to clean this trojan off my machine, doing most of the suggestions above and I just ended up formatting and starting over. I think there are a lot of strains of this and the removal tools only work on some.

    Good luck.

    Tomanta on
  • finalflight89finalflight89 Registered User regular
    edited November 2008
    Trowizilla wrote: »
    giant log file

    You picked out all the bad stuff. Do you have a Linux live CD? I'd recommend booting up with it and deleting the bad files from inside Linux, then booting back into Windows and running another scan. Make sure you get rid of the registry run keys and bad Winlogon entries. Honestly, I wouldn't be surprised if it respawned with a new filename.

    If you don't have a Linux live CD, then you'll need to start up the Windows Recovery Console (using your windows CD) and use the command line to delete the bad stuff.

    I had Vundo awhile back, and I remember now what it did to me. It had those random lettered files in the Windows folder, something like xzzycc.exe. Then it picked a random one of my programs that start up with my computer, I believe "ZuneLauncher.exe", injected malicious code somewhere in the exe file, renamed it "ZuneLauncher .exe" (note the space), and made that one start up instead. If the malicious ZuneLauncher.exe didn't see the xzzycc.exe in the windows folder, it would spawn a new one, starting everything all over. Fun!

    finalflight89 on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    I'm not even sure I have a windows cd.

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    All right, did a scan:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:41:27 PM, on 11/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    c:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {f2ed3b39-0237-44f4-b00f-771bfaeebb48} - C:\WINDOWS\system32\bujasojo.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
    O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [64324ae5] rundll32.exe "C:\WINDOWS\system32\dizagiji.dll",b
    O4 - HKLM\..\Run: [CPM67017979] Rundll32.exe "c:\windows\system32\fivipute.dll",a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    O4 - HKUS\S-1-5-19\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: VTAgentReboot.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190062134656
    O20 - AppInit_DLLs: C:\WINDOWS\system32\kibahova.dll c:\windows\system32\womayovi.dll c:\windows\system32\borazufu.dll c:\windows\system32\wotuzapi.dll c:\windows\system32\kovuduhi.dll c:\windows\system32\giveyaha.dll c:\windows\system32\kohuhego.dll c:\windows\system32\fivipute.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fivipute.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fivipute.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 13689 bytes

    That's quite a lot of stuff.

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • TrowizillaTrowizilla Registered User regular
    edited November 2008
    ComboFix seems to have killed it. Fingers crossed!

    Trowizilla on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    Um, can anyone tell me if there's anything wrong in my log?
    I'm starting to get really annoyed with this spyware.

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • finalflight89finalflight89 Registered User regular
    edited November 2008
    DeMoN wrote: »

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)\
    O2 - BHO: (no name) - {f2ed3b39-0237-44f4-b00f-771bfaeebb48} - C:\WINDOWS\system32\bujasojo.dll

    O4 - HKLM\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s

    O4 - HKLM\..\Run: [64324ae5] rundll32.exe "C:\WINDOWS\system32\dizagiji.dll",b
    O4 - HKLM\..\Run: [CPM67017979] Rundll32.exe "c:\windows\system32\fivipute.dll",a

    O4 - HKUS\S-1-5-19\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s (User 'NETWORK SERVICE')

    O20 - AppInit_DLLs: C:\WINDOWS\system32\kibahova.dll c:\windows\system32\womayovi.dll c:\windows\system32\borazufu.dll c:\windows\system32\wotuzapi.dll c:\windows\system32\kovuduhi.dll c:\windows\system32\giveyaha.dll c:\windows\system32\kohuhego.dll c:\windows\system32\fivipute.dll

    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fivipute.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fivipute.dll

    OK, I looked at your log file.

    First question: It looks like you're running Norton and Avira antivirus? Or at least you've got remnants of Norton on your comptuer.

    To get rid of this Vundo thing manually, you'll have to delete these file out of windows. Like I said earlier, a Linux live CD would be the easiest, but if you don't have one of those, then you'll have to use a windows CD.

    And if you don't have a Windows CD, then you might be able to install the recovery console to your hard drive by installing if from your i386 folder (if you have it). The recovery console is normally installed like this, but you can try going to Start -> Run, and then typing in "C:\i386\winnt32.exe /cmdcons". If you have the i386 folder on your hard drive it will install. When you reboot, it will give you the option to boot to the Recovery Console, and then you can delete the files from the command line.

    After the files are deleted, restart into windows and remove those lines from your computer using HiJackThis

    Do you have any command line experience?

    Or maybe you can just try ComboFix?

    finalflight89 on
  • TrowizillaTrowizilla Registered User regular
    edited November 2008
    DeMoN wrote: »

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)\
    O2 - BHO: (no name) - {f2ed3b39-0237-44f4-b00f-771bfaeebb48} - C:\WINDOWS\system32\bujasojo.dll

    O4 - HKLM\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s

    O4 - HKLM\..\Run: [64324ae5] rundll32.exe "C:\WINDOWS\system32\dizagiji.dll",b
    O4 - HKLM\..\Run: [CPM67017979] Rundll32.exe "c:\windows\system32\fivipute.dll",a

    O4 - HKUS\S-1-5-19\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [rezunujiwe] Rundll32.exe "C:\WINDOWS\system32\bogiviza.dll",s (User 'NETWORK SERVICE')

    O20 - AppInit_DLLs: C:\WINDOWS\system32\kibahova.dll c:\windows\system32\womayovi.dll c:\windows\system32\borazufu.dll c:\windows\system32\wotuzapi.dll c:\windows\system32\kovuduhi.dll c:\windows\system32\giveyaha.dll c:\windows\system32\kohuhego.dll c:\windows\system32\fivipute.dll

    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fivipute.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fivipute.dll

    OK, I looked at your log file.

    First question: It looks like you're running Norton and Avira antivirus? Or at least you've got remnants of Norton on your comptuer.

    To get rid of this Vundo thing manually, you'll have to delete these file out of windows. Like I said earlier, a Linux live CD would be the easiest, but if you don't have one of those, then you'll have to use a windows CD.

    And if you don't have a Windows CD, then you might be able to install the recovery console to your hard drive by installing if from your i386 folder (if you have it). The recovery console is normally installed like this, but you can try going to Start -> Run, and then typing in "C:\i386\winnt32.exe /cmdcons". If you have the i386 folder on your hard drive it will install. When you reboot, it will give you the option to boot to the Recovery Console, and then you can delete the files from the command line.

    After the files are deleted, restart into windows and remove those lines from your computer using HiJackThis

    Do you have any command line experience?

    Or maybe you can just try ComboFix?

    Deleting the random-name files with the recovery console didn't work for me; they kept respawning.

    Trowizilla on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    Basically I have no experience with anything.

    Is combofix easy to use?

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
  • finalflight89finalflight89 Registered User regular
    edited November 2008
    Crap, they did return after deletion out of Windows? It's definitely hiding somewhere extra.

    I've never used Combofix but this guide given earlier seems pretty detailed on how to use it. And really, anything is worth a shot.

    finalflight89 on
  • nerdgaymernerdgaymer Registered User regular
    edited November 2008
    Combofix might work but if it doesnt then you need to do manual removal, and that is tricky at the best of times (look up Process Explorer as a way to kill viral .dll's that are running, so they can be removed successfully). There are demo's out there on how to use process explorer, though the nastiest variations of vundo are almost worth just reformatting for.

    nerdgaymer on
  • DeMoNDeMoN twitch.tv/toxic_cizzle Registered User regular
    edited November 2008
    I'm getting a guy I know to come in tomorrow and try to fix it.

    DeMoN on
    Steam id : Toxic Cizzle
    *TyCart*_banner.jpg
Sign In or Register to comment.