1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please help remove Trojan Vundo H, did i get it?

Discussion in 'Virus & Other Malware Removal' started by joey_bags, Nov 2, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    Hello,

    My computer was infected with trojan vundo h. I was getting popups, my searches were being redirected, auto update was turned off, applications were not working, etc. I am not sure if I have removed it fully and would really appreciate some assistance. To date this is what I have done after i discovered it. I downloaded and ran malwarebytes multiple times, i ran my mcafee virus scan enterprise 8.0 (handme down) multiple times, and i also turned system restore off/on which seemed to stop it from popping back up on reboot.

    also what steps should i take to prevent in the future?

    attached are my latest hijackthis and malwarebytes files before and after deleted.

    I really appreciate any help! Let me know if you need anything else.

    Thanks in advance,

    Joe
     

    Attached Files:

  2. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    I'll be glad to assist you, but please don't attach logs unless directed. Thanks
     
  3. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    Sorry, can you help please.
     
  4. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    We need to see some additional information about what is happening in your machine.
    Please perform the following scan:
    • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.
    • When done, DDS will open two (2) logs
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
      [​IMG]
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.
    Information on A/V control HERE
     
  5. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    Thank you very much for your help. I have followed your instructions and attached are the logs.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    DDS (Ver_09-10-26.01)
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/7/2005 1:18:40 AM
    System Uptime: 11/5/2009 7:38:09 AM (14 hours ago)
    Motherboard: Dell Computer Corp. | | 0F5949
    Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2657/533mhz
    ==== Disk Partitions =========================
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 20.031 GiB free.
    D: is CDROM ()
    ==== Disabled Device Manager Items =============
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Multimedia Audio Controller
    Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01601028&REV_01\3&172E68DD&0&FD
    Manufacturer:
    Name: Multimedia Audio Controller
    PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01601028&REV_01\3&172E68DD&0&FD
    Service:
    ==== System Restore Points ===================
    RP1: 11/1/2009 10:40:45 PM - System Checkpoint
    RP2: 11/3/2009 9:42:40 AM - System Checkpoint
    RP3: 11/4/2009 10:00:29 AM - System Checkpoint
    RP4: 11/4/2009 10:41:13 PM - Software Distribution Service 3.0
    RP5: 11/5/2009 10:42:32 PM - System Checkpoint
    ==== Installed Programs ======================
    Adobe Acrobat 4.0
    Adobe Download Manager 2.0 (Remove Only)
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.0.8
    ANIO Service
    ANIWZCS2 Service
    Apple Software Update
    ArcSoft PhotoStudio 5.5
    BlackBerry Desktop Software 4.3
    Broadcom 440x 10/100 Integrated Controller
    Camera Access Library
    Camera Support Core Library
    Camera Window DS
    Camera Window DVC
    Camera Window MC
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window DSLR 5 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX (E)
    Critical Update for Windows Media Player 11 (KB959772)
    Dell ResourceCD
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    hp instant support
    HP Memories Disc
    Intel(R) Extreme Graphics Driver
    Java(TM) 6 Update 16
    KV-S7065C TWAIN Driver
    KV-S7065C/S3065C ISIS Driver
    Linksys VPN Client
    Malwarebytes' Anti-Malware
    McAfee Agent
    McAfee VirusScan Enterprise
    MCD
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office XP Professional
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    MovieEdit Task
    Mozilla Firefox (1.5)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 6 Service Pack 2 (KB954459)
    Panasonic High Speed Scanner Device Driver (Ver 1.10)
    Panasonic Scanner User Utility
    PhotoStitch
    Presto! BizCard 4.0 Eng
    QuickTime
    RAW Image Task 2.2
    Readiris Pro 9
    Roxio Media Manager
    RTIV
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB947864)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    ShareIns
    SyncBack
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    WD Diagnostics
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2
    ==== Event Viewer Messages From Past Week ========
    11/1/2009 12:55:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
    service netman with arguments "" in order to run the server:
    {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    11/1/2009 12:55:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
    service EventSystem with arguments "" in order to run the server:
    {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/1/2009 12:12:46 PM, error: Service Control Manager [7026] - The following boot-start or
    system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NaiAvTdi1 NetBIOS
    NetBT OMCI RasAcd Rdbss Tcpip
    11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper
    service depends on the AFD Networking Support Environment service which failed to start
    because of the following error: A device attached to the system is not functioning.
    11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The IPSEC Services service
    depends on the IPSEC driver service which failed to start because of the following error: A
    device attached to the system is not functioning.
    11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The DNS Client service
    depends on the TCP/IP Protocol Driver service which failed to start because of the following
    error: A device attached to the system is not functioning.
    11/1/2009 12:12:46 PM, error: Service Control Manager [7001] - The DHCP Client service
    depends on the NetBios over Tcpip service which failed to start because of the following
    error: A device attached to the system is not functioning.
    10/30/2009 8:29:27 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the
    service wuauserv with arguments "" in order to run the server:
    {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    10/30/2009 8:27:31 PM, error: Service Control Manager [7000] - The Application Layer
    Gateway Service service failed to start due to the following error: The service did not
    respond to the start or control request in a timely fashion.
    10/30/2009 8:27:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds)
    waiting for the Application Layer Gateway Service service to connect.
    ==== End Of File ===========================

    DDS (Ver_09-10-26.01) - NTFSx86
    Run by Owner at 21:57:34.00 on Thu 11/05/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.30 [GMT -5:00]

    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\udaterui.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    svchost.exe
    C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = 127.0.0.1
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
    mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [<NO NAME>]
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = scecli jayebivo.dll
    ================= FIREFOX ===================
    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\qgb0iclf.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\progra~1\mozill~1\extensions\[email protected]\components\inspector.dll
    FF - component: c:\progra~1\mozill~1\extensions\[email protected]\components\qfaservices.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default",
    "chrome://branding/content/searchconfig.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",
    "chrome://branding/content/searchconfig.properties");
    ============= SERVICES / DRIVERS ===============
    R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-11-13 58048]
    =============== Created Last 30 ================
    2009-11-03 00:42:33 0 d-----w- c:\program files\Trend Micro
    2009-11-01 16:04:35 0 d-----w- c:\windows\pss
    2009-10-31 13:36:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2009-10-31 13:36:40 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-10-31 02:52:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-10-31 02:52:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-10-31 02:52:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-10-31 02:52:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-10-31 02:42:30 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
    2009-10-30 21:09:09 0 d-----w- C:\quarantine
    2009-10-27 16:17:57 1 --sh--w- c:\windows\system32\wovobubo.dll
    2009-10-27 16:17:57 1 --sh--w- c:\windows\system32\jatiwuhe.dll
    2009-10-27 16:17:57 1 --sh--w- c:\windows\system32\getozifi.dll
    2009-10-17 20:11:06 0 d-----w- c:\program files\2BrightSparks
    2009-10-17 20:09:54 1878371 ----a-w- c:\program files\SyncBack_Setup.zip
    2009-10-17 16:53:39 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2009-10-17 16:52:46 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
    2009-10-17 15:37:07 56142750 ----a-w- c:\program files\Mcafee virus scan.zip
    2009-10-17 14:46:30 212480 ----a-w- c:\windows\PCDLIB32.DLL
    2009-10-14 01:22:27 0 ----a-w- c:\windows\OpPrintServer.INI
    2009-10-14 01:20:49 0 d-----w- c:\program files\Canon
    ==================== Find3M ====================
    2009-10-14 00:55:25 35776 ----a-w- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
    2009-10-12 15:21:30 3900 ----a-w- c:\windows\mozver.dat
    2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
    2009-08-16 15:18:09 256 ----a-w- c:\documents and settings\owner\pool.bin
    2009-07-27 16:17:54 1 --sha-w- c:\windows\system32\dejowara.dll
    2009-07-27 16:17:54 1 --sha-w- c:\windows\system32\rohipije.dll
    2009-07-27 16:17:54 1 --sha-w- c:\windows\system32\walihapo.dll
    ============= FINISH: 21:58:59.62 ===============
     
  6. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Note: You may need to unhide hidden files and folders.
    Configure Windows XP to show hide hidden files:
    Click Start. Open My Computer.
    Select the Tools menu and click Folder Options. Select the View Tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".
    Uncheck the "Hide protected operating system files (recommended)" option.
    Uncheck the "Hide file extensions for known file types" option.
    Click Yes to confirm. Click OK.


    ====================================


    Open notepad and copy/paste the text in the codebox below into it:
    Code:
    @echo off
    for %%g in (
    "c:\windows\system32\wovobubo.dll"
    "c:\windows\system32\jatiwuhe.dll"
    "c:\windows\system32\getozifi.dll"
    "c:\windows\system32\dejowara.dll"
    "c:\windows\system32\rohipije.dll"
    "c:\windows\system32\walihapo.dll"
    ) do zip Files_for_submission %%g
    del %0
    Save this as grab.bat
    Choose to "Save type as - All Files"
    Save it on your desktop.

    It should look like this: [​IMG]
    Double click on grab.bat & allow it to run

    A file, Files_for_submission.zip will be created on your desktop.

    Please upload that file here --> http://www.bleepingcomputer.com/submit-malware.php?channel=70


    ===================================================

    Please download the OTM.exe by OldTimer.
    • Save it to your desktop.
    • Please double-click OTM.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :files
      c:\windows\system32\wovobubo.dll
      c:\windows\system32\jatiwuhe.dll
      c:\windows\system32\getozifi.dll
      c:\windows\system32\dejowara.dll
      c:\windows\system32\rohipije.dll
      c:\windows\system32\walihapo.dll
      :reg
      [HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\Lsa]
      "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
      :commands
      [emptytemp]
    • Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Click Ok to allow OTM reboot your machine.
    • After reboot, a log file will appear. Copy the contents to the clipboard[/b] by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
     
  7. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    Thanks. I will follow the steps you outlined.

    Before I do that, Are these next steps because found something wrong?
     
  8. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    yes still some leftover malware files to remove and i need those files to analyze. Thanks
     
  9. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    I tried doing the grab.bat twice. I ran it twice and it dissappeared from the desktop and no zip file was created. I will not proceed with otm until I here from you.

    Thanks
     
  10. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Don't worry about the files, just go ahead with otm
     
  11. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    why didnt the grab.bat work? Will it cause any harm?

    on a side not i noticed i see my system restore points on all my hard drives including the externals after i changed the hide settings. is this typical?

    heres the OTM file, thanks for all the help!:

    All processes killed
    ========== FILES ==========
    LoadLibrary failed for c:\windows\system32\wovobubo.dll
    c:\windows\system32\wovobubo.dll NOT unregistered.
    c:\windows\system32\wovobubo.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\jatiwuhe.dll
    c:\windows\system32\jatiwuhe.dll NOT unregistered.
    c:\windows\system32\jatiwuhe.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\getozifi.dll
    c:\windows\system32\getozifi.dll NOT unregistered.
    c:\windows\system32\getozifi.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\dejowara.dll
    c:\windows\system32\dejowara.dll NOT unregistered.
    c:\windows\system32\dejowara.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\rohipije.dll
    c:\windows\system32\rohipije.dll NOT unregistered.
    c:\windows\system32\rohipije.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\walihapo.dll
    c:\windows\system32\walihapo.dll NOT unregistered.
    c:\windows\system32\walihapo.dll moved successfully.
    ========== REGISTRY ==========
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 76135 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
    ->Temporary Internet Files folder emptied: 6698515 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF30E0.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF30ED.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CD5.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CE2.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EA2.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EDA.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF547C.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF60A.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFC02A.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFFB3E.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFFBAD.tmp scheduled to be deleted on reboot.
    ->Temp folder emptied: 132788593 bytes
    ->Temporary Internet Files folder emptied: 39770491 bytes
    ->Java cache emptied: 25555838 bytes
    ->FireFox cache emptied: 29659638 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2233200 bytes
    %systemroot%\System32 .tmp files removed: 23152145 bytes
    File delete failed. C:\WINDOWS\temp\WFV1F.tmp scheduled to be deleted on reboot.
    Windows Temp folder emptied: 133200948 bytes
    RecycleBin emptied: 1302461 bytes

    Total Files Cleaned = 376.23 mb


    OTM by OldTimer - Version 3.0.0.6 log created on 11082009_190501
    Files moved on Reboot...
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF30E0.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF30ED.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CD5.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4CE2.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EA2.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EDA.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF547C.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF60A.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DFC02A.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DFFB3E.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DFFBAD.tmp not found!
    File C:\WINDOWS\temp\WFV1F.tmp not found!
    Registry entries deleted on Reboot...
     
  12. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    system restore is set to hidden by default.
     
  13. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    Am i all clear?

    can you make any recomendations as too what steps to take to prevent in thefuture?

    thanks
     
  14. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Open OTM.exe
    Click on the Cleanup button

    reboot if prompted.


    Please uninstall the following out of date program
    Adobe Reader 7.0.8

    Go Here to download Adobe Acrobat 9.2

    ==================================

    [​IMG] Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:

    • Download the latest version of Java Runtime Environment (JRE) 6u17.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.


    =======================


    Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

    To SET A NEW RESTORE POINT:
    1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
    2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    3. Then go to Start > Run and type: Cleanmgr
    4. Click "OK".
    5. Click the "More Options" Tab.
    6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    Graphics for doing this are in the following links if you need them.
    How to Create a Restore Point.
    How to use Cleanmgr.

    ======================================

    Here is some useful information on keeping your computer clean:
    1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update

      Its safe to update to SP3 which is needed.
     
  15. joey_bags

    joey_bags Thread Starter

    Joined:
    Nov 2, 2009
    Messages:
    39
    Man I really appreciate your help, I plan on donating to your cause!

    I do not belive your list on tips to keep my computer clean posted.

    Also, is it now safe to access my banking info, etc.?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/873955

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice