1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Suspected Vundo Infection, Help

Discussion in 'Virus & Other Malware Removal' started by captain75, Jan 27, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. captain75

    captain75 Thread Starter

    Joined:
    Jan 27, 2006
    Messages:
    7
    My flat mate has been on my pc and I now have new wallpaper that says SPYWARE INFECTION, I can't get rid of it, please advise.

    Cheers

    J
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    Download hijack this from the link below.Please do this. Click here:

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.
     
  3. captain75

    captain75 Thread Starter

    Joined:
    Jan 27, 2006
    Messages:
    7
    Hi Khazers,

    Thanks for getting back to me, my Dad usual helps me with pc problems but he's working, he's a member of this site you might know him $teve.

    Anyway I've done what you asked

    Cheers

    J

    Logfile of HijackThis v1.99.1
    Scan saved at 12:35:29, on 27/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Intelligent Driver\4DMAIN.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
    C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
    C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\dfrgfat16.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Intelligent Driver\4DMAIN.EXE
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Pinnacle Scheduler.lnk = ?
    O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
    O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Managing FAT and NTFS partitions (Defragmentation Manager) - Unknown owner - C:\WINDOWS\System32\dfrgfat16.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
     

    Attached Files:

  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi John,Its not Vundo its the W32/Codbot-N WORM

    Download this file to your desktop:
    http://www.bleepingcomputer.com/files/reg/cws-dbg.reg

    ----------------------------------
    Download Pocket Killbox from here:
    http://www.downloads.subratam.org/KillBox.zip
    Unzip the files to the folder of your choice.

    ----------------------------------

    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Defragmentation Manager
    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    Boot to safe mode.

    Doubleclick the cws-dbg.reg and answer "Yes" to merge with the registry.

    ---------------------------------
    Double-click on "Killbox.exe" to run it.
    Put a checkmark in "Replace on Reboot" and the "Use Dummy" box.
    Copy/Paste this file C:\WINDOWS\System32\dfrgfat16.exe
    into the top "Full Path of File to Delete" box.
    Click the "Delete File" button which looks like a stop sign.
    Click "NO" at the Pending Operations prompt to restart your computer.

    Run HijackThis once more and put a checkmark next to this:

    O23 - Service: Managing FAT and NTFS partitions (Defragmentation Manager) - Unknown owner - C:\WINDOWS\System32\dfrgfat16.exe

    FIX CHECKED!
    Now reboot and post a new HijackThis log and see if your desktop is normal.

    ;)
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Im assuming its as easy as that.............ive not seen this one before,Khaz should know more than I if its a new and more difficult pest.

    ;)
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    I have never heard of it either! Do as $teve says and also do this!



    Before you proceed with the removal directions below you need to turn off MS
    Anti-Spyware's realtime protection as it will interfere with the changes we
    are trying to make.

    Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime
    Protection" in the left pane.

    Remove the check by these:

    "Enable the Microsoft Security Agents on startup (recommended)"

    "Enable real-time spyware threat protection (recommended)"

    Click "Save"

    Now right click the MS Anti-spyware icon in your system tray and choose
    "Shutdown Microsoft Anti-Spyware"

    You should re-enable these when we are finished here.
     
  7. captain75

    captain75 Thread Starter

    Joined:
    Jan 27, 2006
    Messages:
    7
    OK the wallpaer is still there

    Logfile of HijackThis v1.99.1
    Scan saved at 14:48:39, on 27/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Intelligent Driver\4DMAIN.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
    C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
    C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Intelligent Driver\4DMAIN.EXE
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Pinnacle Scheduler.lnk = ?
    O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
    O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Managing FAT and NTFS partitions (Defragmentation Manager) - Unknown owner - C:\WINDOWS\System32\dfrgfat16.exe (file missing)
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Keep Microsoft antispyware disabled until we are fnsihed here!


    * Click here to download smitRem.zip.



    http://noahdfear.geekstogo.com/click counter/click.php?id=1




    * Save the file to your desktop.
    * Unzip smitRem.zip to extract the two files it contains.
    * Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.



    *Download Cleanup from Here


    http://www.stevengould.org/software/cleanup/download.html




    * A window will open and choose SAVE, then DESKTOP as the destination.
    * On your Desktop, click on Cleanup40.exe icon.
    * Then, click RUN and place a checkmark beside "I Agree"
    * Then click NEXT followed by START and OK.
    * A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    * Click OK
    * DO NOT RUN IT YET



    * Download the trial version of Ewido Security Suite.



    http://www.ewido.net/en/


    * Install ewido.
    * During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.



    * Click here for info on how to boot to safe mode if you don't already know how.


    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"



    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O23 - Service: Managing FAT and NTFS partitions (Defragmentation Manager) - Unknown owner - C:\WINDOWS\System32\dfrgfat16.exe (file missing)


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.



    * Run Ewido:

    * Click on scanner
    * Click Complete System Scan and the scan will begin.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop



    * Run Cleanup:

    * Click on the "Cleanup" button and let it run.
    * Once its done, close the program.


    * Go to Control Panel > Internet Options. Click on the Programs tab then
    click the "Reset Web Settings" button. Click Apply then OK.



    * Next go to Control Panel > Display. Click on the "Desktop" tab then click
    the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
    should see an entry checked called something like "Security info" or similar.
    If it is there, select that entry and click the "Delete" button. Click OK
    then Apply and OK.


    * Restart back into Windows normally now.



    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner



    * Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm


    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!


    post another hijack this log, the ewido and active scan logs and
    the contents of smitfiles.txt from the smitRem folder
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    This fix is only for XP & Windows 2000

    Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

    It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script

    If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to

    If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

    If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script

    It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

    It will restart Explorer.

    Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

    I have included another vbs to do this. It is named Other Profiles Regfix.vbs

    Have each User sign in and run Other Profiles Regfix.vbs
    Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

    Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

    To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5

    You will need to do this step for every user account
     
  10. captain75

    captain75 Thread Starter

    Joined:
    Jan 27, 2006
    Messages:
    7
    OK the wallpaper has gone, only seems to be one user set up now as well, tried to switch user and only gave me the option of Sam's profile, no mention of Administrator.

    Cheers for sorting it out, that wallpaper was doing my head in.

    shabba
     
  11. captain75

    captain75 Thread Starter

    Joined:
    Jan 27, 2006
    Messages:
    7
    Many thanks Khazars
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Re-boot a few time and see how it go`s.....post back if it re-occur`s and run the steps Khaz posted.Hopefully its sorted.
    Catch you later.

    ;)
     
  13. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Cheers for that Khaz........I thought you would be around the place.
    Have a good weekend.

    ;)
     
  14. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok Steve and you!

    Can you post the logs captain?
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/437639

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice