Please help remove Trojan Vundo H, did i get it?

joey_bags · 09:15 PM

Hello,

My computer was infected with trojan vundo h. I was getting popups, my searches were being redirected, auto update was turned off, applications were not working, etc. I am not sure if I have removed it fully and would really appreciate some assistance. To date this is what I have done after i discovered it. I downloaded and ran malwarebytes multiple times, i ran my mcafee virus scan enterprise 8.0 (handme down) multiple times, and i also turned system restore off/on which seemed to stop it from popping back up on reboot.

also what steps should i take to prevent in the future?

attached are my latest hijackthis and malwarebytes files before and after deleted.

I really appreciate any help! Let me know if you need anything else.

Thanks in advance,

Joe

**sjpritch25** · 05-Nov-2009, 07:52 PM #2

Welcome to TSG

I'll be glad to assist you, but please don't attach logs unless directed. Thanks

joey_bags · 05-Nov-2009, 09:19 PM #3

Sorry, can you help please.

**sjpritch25** · 05-Nov-2009, 10:51 PM #4

We need to see some additional information about what is happening in your machine.
Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool.
When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

joey_bags · 05-Nov-2009, 11:07 PM #5

Thank you very much for your help. I have followed your instructions and attached are the logs.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-26.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/7/2005 1:18:40 AM
System Uptime: 11/5/2009 7:38:09 AM (14 hours ago)
Motherboard: Dell Computer Corp. | | 0F5949
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2657/533mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 20.031 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01601028&REV_01\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01601028&REV_01\3&172E68DD&0&FD
Service:
==== System Restore Points ===================
RP1: 11/1/2009 10:40:45 PM - System Checkpoint
RP2: 11/3/2009 9:42:40 AM - System Checkpoint
RP3: 11/4/2009 10:00:29 AM - System Checkpoint
RP4: 11/4/2009 10:41:13 PM - Software Distribution Service 3.0
RP5: 11/5/2009 10:42:32 PM - System Checkpoint
==== Installed Programs ======================
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
ANIO Service
ANIWZCS2 Service
Apple Software Update
ArcSoft PhotoStudio 5.5
BlackBerry Desktop Software 4.3
Broadcom 440x 10/100 Integrated Controller
Camera Access Library
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
hp instant support
HP Memories Disc
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 16
KV-S7065C TWAIN Driver
KV-S7065C/S3065C ISIS Driver
Linksys VPN Client
Malwarebytes' Anti-Malware
McAfee Agent
McAfee VirusScan Enterprise
MCD
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MovieEdit Task
Mozilla Firefox (1.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Panasonic High Speed Scanner Device Driver (Ver 1.10)
Panasonic Scanner User Utility
PhotoStitch
Presto! BizCard 4.0 Eng
QuickTime
RAW Image Task 2.2
Readiris Pro 9
Roxio Media Manager
RTIV
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
ShareIns
SyncBack
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WD Diagnostics
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
==== Event Viewer Messages From Past Week ========
11/1/2009 12:55:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/1/2009 12:55:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
11/1/2009 12:12:46 PM, error: Service Control Manager [7026] - The following boot-start or
system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NaiAvTdi1 NetBIOS
NetBT OMCI RasAcd Rdbss Tcpip
11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper
service depends on the AFD Networking Support Environment service which failed to start
because of the following error: A device attached to the system is not functioning.
11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The IPSEC Services service
depends on the IPSEC driver service which failed to start because of the following error: A
device attached to the system is not functioning.
11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The DNS Client service
depends on the TCP/IP Protocol Driver service which failed to start because of the following
error: A device attached to the system is not functioning.
11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The DHCP Client service
depends on the NetBios over Tcpip service which failed to start because of the following
error: A device attached to the system is not functioning.
10/30/2009 8:29:27 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the
service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/30/2009 8:27:31 PM, error: Service Control Manager [7000] - The Application Layer
Gateway Service service failed to start due to the following error: The service did not
respond to the start or control request in a timely fashion.
10/30/2009 8:27:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds)
waiting for the Application Layer Gateway Service service to connect.
==== End Of File ===========================

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 21:57:34.00 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.30 [GMT -5:00]

============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli jayebivo.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\qgb0iclf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\progra~1\mozill~1\extensions\inspector@mozilla.org\components\inspector. dll
FF - component: c:\progra~1\mozill~1\extensions\talkback@mozilla.org\components\qfaservices .dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default",
"chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",
"chrome://branding/content/searchconfig.properties");
============= SERVICES / DRIVERS ===============
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-11-13 58048]
=============== Created Last 30 ================
2009-11-03 00:42:33 0 d-----w- c:\program files\Trend Micro
2009-11-01 16:04:35 0 d-----w- c:\windows\pss
2009-10-31 13:36:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-31 13:36:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-31 02:52:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 02:52:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 02:52:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 02:52:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-31 02:42:30 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-30 21:09:09 0 d-----w- C:\quarantine
2009-10-27 16:17:57 1 --sh--w- c:\windows\system32\wovobubo.dll
2009-10-27 16:17:57 1 --sh--w- c:\windows\system32\jatiwuhe.dll
2009-10-27 16:17:57 1 --sh--w- c:\windows\system32\getozifi.dll
2009-10-17 20:11:06 0 d-----w- c:\program files\2BrightSparks
2009-10-17 20:09:54 1878371 ----a-w- c:\program files\SyncBack_Setup.zip
2009-10-17 16:53:39 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-17 16:52:46 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-10-17 15:37:07 56142750 ----a-w- c:\program files\Mcafee virus scan.zip
2009-10-17 14:46:30 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-10-14 01:22:27 0 ----a-w- c:\windows\OpPrintServer.INI
2009-10-14 01:20:49 0 d-----w- c:\program files\Canon
==================== Find3M ====================
2009-10-14 00:55:25 35776 ----a-w- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-10-12 15:21:30 3900 ----a-w- c:\windows\mozver.dat
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 15:18:09 256 ----a-w- c:\documents and settings\owner\pool.bin
2009-07-27 16:17:54 1 --sha-w- c:\windows\system32\dejowara.dll
2009-07-27 16:17:54 1 --sha-w- c:\windows\system32\rohipije.dll
2009-07-27 16:17:54 1 --sha-w- c:\windows\system32\walihapo.dll
============= FINISH: 21:58:59.62 ===============

**sjpritch25** · 06-Nov-2009, 10:04 PM #6

Note: You may need to unhide hidden files and folders.
Configure Windows XP to show hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

====================================

Open notepad and copy/paste the text in the codebox below into it:

Code:

@echo off
for %%g in (
"c:\windows\system32\wovobubo.dll"
"c:\windows\system32\jatiwuhe.dll"
"c:\windows\system32\getozifi.dll"
"c:\windows\system32\dejowara.dll"
"c:\windows\system32\rohipije.dll"
"c:\windows\system32\walihapo.dll"
) do zip Files_for_submission %%g
del %0

Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.

Please upload that file here --> http://www.bleepingcomputer.com/subm...php?channel=70

===================================================

Please download the OTM.exe by OldTimer.

Save it to your desktop.
Please double-click OTM.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:files
c:\windows\system32\wovobubo.dll
c:\windows\system32\jatiwuhe.dll
c:\windows\system32\getozifi.dll
c:\windows\system32\dejowara.dll
c:\windows\system32\rohipije.dll
c:\windows\system32\walihapo.dll
:reg
[HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
:commands
[emptytemp]

Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Click Ok to allow OTM reboot your machine.
After reboot, a log file will appear. Copy the contents to the clipboard[/b] by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

joey_bags · 07-Nov-2009, 06:14 PM #7

Thanks. I will follow the steps you outlined.

Before I do that, Are these next steps because found something wrong?

**sjpritch25** · 07-Nov-2009, 08:47 PM #8

yes still some leftover malware files to remove and i need those files to analyze. Thanks

joey_bags · 08-Nov-2009, 10:12 AM #9

I tried doing the grab.bat twice. I ran it twice and it dissappeared from the desktop and no zip file was created. I will not proceed with otm until I here from you.

Thanks

**sjpritch25** · 08-Nov-2009, 05:12 PM **#10**

Don't worry about the files, just go ahead with otm

joey_bags · 08-Nov-2009, 09:31 PM **#11**

why didnt the grab.bat work? Will it cause any harm?

on a side not i noticed i see my system restore points on all my hard drives including the externals after i changed the hide settings. is this typical?

heres the OTM file, thanks for all the help!:

All processes killed
========== FILES ==========
LoadLibrary failed for c:\windows\system32\wovobubo.dll
c:\windows\system32\wovobubo.dll NOT unregistered.
c:\windows\system32\wovobubo.dll moved successfully.
LoadLibrary failed for c:\windows\system32\jatiwuhe.dll
c:\windows\system32\jatiwuhe.dll NOT unregistered.
c:\windows\system32\jatiwuhe.dll moved successfully.
LoadLibrary failed for c:\windows\system32\getozifi.dll
c:\windows\system32\getozifi.dll NOT unregistered.
c:\windows\system32\getozifi.dll moved successfully.
LoadLibrary failed for c:\windows\system32\dejowara.dll
c:\windows\system32\dejowara.dll NOT unregistered.
c:\windows\system32\dejowara.dll moved successfully.
LoadLibrary failed for c:\windows\system32\rohipije.dll
c:\windows\system32\rohipije.dll NOT unregistered.
c:\windows\system32\rohipije.dll moved successfully.
LoadLibrary failed for c:\windows\system32\walihapo.dll
c:\windows\system32\walihapo.dll NOT unregistered.
c:\windows\system32\walihapo.dll moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 76135 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 6698515 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF30E0.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF30ED.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CD5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CE2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EA2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EDA.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF547C.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF60A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFC02A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFFB3E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFFBAD.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 132788593 bytes
->Temporary Internet Files folder emptied: 39770491 bytes
->Java cache emptied: 25555838 bytes
->FireFox cache emptied: 29659638 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2233200 bytes
%systemroot%\System32 .tmp files removed: 23152145 bytes
File delete failed. C:\WINDOWS\temp\WFV1F.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied: 133200948 bytes
RecycleBin emptied: 1302461 bytes

Total Files Cleaned = 376.23 mb

OTM by OldTimer - Version 3.0.0.6 log created on 11082009_190501
Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF30E0.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF30ED.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CD5.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CE2.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EA2.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EDA.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF547C.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF60A.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFC02A.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFFB3E.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFFBAD.tmp not found!
File C:\WINDOWS\temp\WFV1F.tmp not found!
Registry entries deleted on Reboot...

**sjpritch25** · 08-Nov-2009, 09:44 PM **#12**

system restore is set to hidden by default.

joey_bags · 09-Nov-2009, 12:20 AM **#13**

Am i all clear?

can you make any recomendations as too what steps to take to prevent in thefuture?

thanks

**sjpritch25** · 09-Nov-2009, 08:04 AM **#14**

Open OTM.exe
Click on the Cleanup button

reboot if prompted.

Please uninstall the following out of date program
Adobe Reader 7.0.8

Go Here to download Adobe Acrobat 9.2

==================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:

Download the latest version of Java Runtime Environment (JRE) 6u17.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

=======================

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:[list=1][*]Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update

Its safe to update to SP3 which is needed.

joey_bags · 09-Nov-2009, 10:23 PM **#15**

Man I really appreciate your help, I plan on donating to your cause!

I do not belive your list on tips to keep my computer clean posted.

Also, is it now safe to access my banking info, etc.?

Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!