Solved: WinFixer / Vundo infection?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

birdfriend

Thread Starter
Joined
Jan 14, 2006
Messages
5
Hello all

Two days ago - Thursday 12th - I suddenly noticed my laptop running VERY slowly after a period of internet browsing. I immediately disconnected from the Internet, but the problem persisted. Fairly soon I was starting to see pop-ups for Winfixer2006, WinAntiVirus and on-line poker, so I knew I had an infection. I am running Windows XP Pro SP2 with Windows Firewall, Ad-Aware Pro & AVG. I installed Microsoft AntiSpyware Beta 1 which detected and removed Twain Tech Adware, RXToolbar Adware, Claria.GAIN.Trickler Adware and KaZaA Under Investigation. I then did a scan with Panda Activescan which detected further Malware / Spyware as follows: 1. Adware:adware/adwhere = Windows Registry. 2. Spyware/Virtumonde = C:\WINDOWS\system32\hgdaw.dll. 3. Spyware/Virtumonde = C:\WINDOWS\system32\qopnk.dll. 4. Spyware:Spyware/Virtumonde = C:\WINDOWS\system32\sstsq.dll. Symantec FixVundo.exe and FxVMonde.exe did not detect anything. Nor does Microsoft AntiSpyware Beta 1. So I downloaded and ran VirtumundoBegone which said “Nothing found!” though there was a line with “WARNING: BHO has no default name”. VundoFix 4.0.0.0 detected nothing further.

My PC is running much quicker now and I have not seen pop-ups in a while. However, I am still worried that Panda Activescan is detecting “Spyware/Virtumonde”. Lavasoft Ad-Watch shows registry modifications each time I reboot. My HJT 1.99.0.1 log is below. I would be grateful if someone could tell me if I still have a problem or whether my PC is clean.

Many thanks! Birdfriend

Logfile of HijackThis v1.99.1
Scan saved at 5:30:15 PM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE /P23 "EPSON Stylus C63 Series" /O6 "USB002" /M "Stylus C63"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C63 Series on DESKTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE /P39 "Auto EPSON Stylus C63 Series on DESKTOP" /O18 "\\DESKTOP\EPSONSty" /M "Stylus C63"
O4 - HKLM\..\Run: [\\Desktop\EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE /P33 "\\Desktop\EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63"
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.1.4322] "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID
O4 - HKLM\..\RunOnce: [IVPSvMgr] c:\toshiba\ivp\ism\ivpsvmgr.exe /regserver
O4 - HKLM\..\RunOnce: [Netint] c:\toshiba\ivp\netint\netint.exe /regserver
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
 
Joined
Jul 8, 2002
Messages
14,681
Where is ActiveScan still finding Virtumonde and does Ad-Watch tell you any more details about the registry changes its detecting?
 

birdfriend

Thread Starter
Joined
Jan 14, 2006
Messages
5
Hello Brendan, I did not realise you would be so quick off the mark! Here is the Panda ActiveScan report indicating 8 items (of course, there are a coupplr from the Recycle bin) and the Ad-Watch log. See what you think.

Thank you, Birdfriend

Adware:adware/adwhere Windows Registry
Potentially unwanted tool:Application/Processor C:\Documents and Settings\Administrator\Local Settings\Temp\nst5.tmp

Potentially unwanted tool:Application/Processor C:\Documents and Settings\Administrator\Local Settings\Temp\nsw5.tmp

Potentially unwanted tool:Application/Processor C:\RECYCLER\S-1-5-21-1291382288-612007680-3313001647-500\Dc1\VundoFix\process.exe

Potentially unwanted tool:Application/Processor C:\RECYCLER\S-1-5-21-1291382288-612007680-3313001647-500\Dc2\VundoFix\process.exe

Spyware:Spyware/Virtumonde C:\WINDOWS\system32\hgdaw.dll

Spyware:Spyware/Virtumonde C:\WINDOWS\system32\qopnk.dll

Spyware:Spyware/Virtumonde C:\WINDOWS\system32\sstsq.dll

===============================================
14/01/2006 06:02:30 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:AvLiteBr
Data:
New Data:
===============================================
14/01/2006 06:02:31 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:NetFxUpdate_v1.1.4322
Data:"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID
New Data:
===============================================
14/01/2006 06:02:31 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:IVPSvMgr
Data:c:\toshiba\ivp\ism\ivpsvmgr.exe /regserver
New Data:
===============================================
14/01/2006 06:02:31 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:Netint
Data:c:\toshiba\ivp\netint\netint.exe /regserver
New Data:
===============================================
14/01/2006 06:02:31 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:wextract_cleanup0
Data:rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\IXP000.TMP\"
New Data:
===============================================
 
Joined
Jul 8, 2002
Messages
14,681
This should fix everything
Install CleanUp!

Run CleanUp! and go to Options>>Custom CleanUp!
Put a checkmark next to each of the following items:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK>>CleanUp!
Exit CleanUp!

Save KillBox to your Desktop

Run KillBox and select Delete on Reboot
Copy this list of file and folder locations:

C:\WINDOWS\system32\hgdaw.dll
C:\WINDOWS\system32\qopnk.dll
C:\WINDOWS\system32\sstsq.dll
Go to File>>Paste from clipboard. Click All Files
Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​
 

birdfriend

Thread Starter
Joined
Jan 14, 2006
Messages
5
Hello Brendan!

Lavasoft Ad-Watch shows identical registry modifications. Panda Activescan shows:-

Adware:adware/adwhere Windows Registry
Spyware:Spyware/Virtumonde C:\!KillBox\hgdaw.dll
Spyware:Spyware/Virtumonde C:\!KillBox\qopnk.dll
Spyware:Spyware/Virtumonde C:\!KillBox\sstsq.dll

I think you're getting there, right?

Thank you, Birdfriend
 

birdfriend

Thread Starter
Joined
Jan 14, 2006
Messages
5
Dear Brendan, thank you so much for your time. I learned a lot getting rid of these bugs - many thanks to you - though I am still puzzled as to exactly what my PC picked up.

Was / is there any further security issue I need to worry about, such as my passwords and / or documents having become compromised (I don't like the sound of the Claria.GAIN.Trickler that Microsoft AntiSpware Beta 1 removed)? My browser is set to high security and I am always very careful with email atachments and browsing - obviously not careful enough to have picked up these bugs though.

I have consulted other security pages on this site and made some tweaks. Would I have been better off with a commercial all-in-one package from Symantec or Panda, or woudl that not have helped?

Again, I appreciate your help. Best wishes, Birdfriend.
 
Joined
Jul 8, 2002
Messages
14,681
I don't see anything that would have compromised your passwords. Symantec is not that great, AVG and a firewall should be fine.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top