Vundo Trojan Removal
August 7th, 2016
I tried at the reccomendation of a friend to use a removing tool on the Symantec Website but it wont work..heres the log file n image incl…what am i doing wrong?
heres the log
Symantec Trojan.Vundo Removal Tool 1.5.1
Cannot scan Winlogon plugins!
C:\Documents and Settings: (not scanned)
C:\ProgramData\Application Data: (not scanned)
C:\ProgramData\Desktop: (not scanned)
C:\ProgramData\Documents: (not scanned)
C:\ProgramData\Favorites: (not scanned)
C:\ProgramData\Start Menu: (not scanned)
C:\ProgramData\Symantec\SRTSP\Quarantine: (not scanned)
C:\ProgramData\Symantec\SRTSP\SrtETmp: (not scanned)
C:\ProgramData\Templates: (not scanned)
C:\System Volume Information: (not scanned)
C:\Users\All Users\Application Data: (not scanned)
C:\Users\All Users\Desktop: (not scanned)
C:\Users\All Users\Documents: (not scanned)
C:\Users\All Users\Favorites: (not scanned)
C:\Users\All Users\Start Menu: (not scanned)
C:\Users\All Users\Symantec\SRTSP\Quarantine: (not scanned)
C:\Users\All Users\Symantec\SRTSP\SrtETmp: (not scanned)
C:\Users\All Users\Templates: (not scanned)
C:\Users\Default\AppData\Local\Application Data: (not scanned)
C:\Users\Default\AppData\Local\History: (not scanned)
C:\Users\Default\AppData\Local\Temporary Internet Files: (not scanned)
C:\Users\Default\Application Data: (not scanned)
C:\Users\Default\Cookies: (not scanned)
C:\Users\Default\Documents\My Music: (not scanned)
C:\Users\Default\Documents\My Pictures: (not scanned)
C:\Users\Default\Documents\My Videos: (not scanned)
C:\Users\Default\Local Settings: (not scanned)
C:\Users\Default\My Documents: (not scanned)
C:\Users\Default\NetHood: (not scanned)
C:\Users\Default\PrintHood: (not scanned)
C:\Users\Default\Recent: (not scanned)
C:\Users\Default\SendTo: (not scanned)
C:\Users\Default\Start Menu: (not scanned)
C:\Users\Default\Templates: (not scanned)
C:\Users\Default User: (not scanned)
C:\Users\Public\Documents\My Music: (not scanned)
C:\Users\Public\Documents\My Pictures: (not scanned)
C:\Users\Public\Documents\My Videos: (not scanned)
C:\Users\User\AppData\Local\Application Data: (not scanned)
C:\Users\User\AppData\Local\History: (not scanned)
C:\Users\User\AppData\Local\Temporary Internet Files: (not scanned)
C:\Users\User\Application Data: (not scanned)
C:\Users\User\Cookies: (not scanned)
C:\Users\User\Documents\My Music: (not scanned)
C:\Users\User\Documents\My Pictures: (not scanned)
C:\Users\User\Documents\My Videos: (not scanned)
C:\Users\User\Local Settings: (not scanned)
C:\Users\User\My Documents: (not scanned)
C:\Users\User\NetHood: (not scanned)
C:\Users\User\PrintHood: (not scanned)
C:\Users\User\Recent: (not scanned)
C:\Users\User\SendTo: (not scanned)
C:\Users\User\Start Menu: (not scanned)
C:\Users\User\Templates: (not scanned)
C:\Windows\System32\LogFiles\WMI\RtBackup: (not scanned)
D:\System Volume Information: (not scanned)
Trojan.Vundo has not been found on your computer.
http://www.bleepingcomputer.com/forums/topic18610.html
In my experience, where there’s one, there’s more hiding away…
Symantec sucks… I think your best bet it to get Avira premium instead of avast and then download SUPERantispyware. SUPERantispyware is for removing big infections and can remove Vundo infections
http://www.google.com?t=1406679&highlight=
http://www.superantispyware.com/superantispywarefreevspro.html
I would suggest downloading and installing Kasperksy, Malwarebytes’ Anti-Malware, Ad-Aware 2008 and running them all in safe mode. To get to safe mode press F8 while booting up.
You should immediately switch to any good whole PC and network security suite.
There are lot of options available for you. 1. Kaspersky
2. Bitdefender
3. ESET Smart Security
You can search them in apps section to get a working one. 🙂
Always update your virus database.
–
Instal NOD 32 or AVG and try to scan then
Also install SpyBot: Search& Destroy and AD-Aware.
Vundo is easy to remove mate if you follow the right instructions (which I’m going to give you now)
Hijackthis log is useless. For Vundo we need a ComboFix log. And like others said, please get rid of Symantec afterwards
Download ComboFix from here and save it to your desktop for best results. Run it. Let it generate a log file (combofix.txt which will open after scanning)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Copy paste the log in this thread and I’ll give you further instructions
heres the log file…i installed avira and got rid of norton…going to install that spyware remover aswell ComboFix 08-08-11.01 - User 2008-08-12 21:43:22.1 - NTFSx86
Microsoft� Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1952 [GMT 8:00]
Running from: C:\Users\User\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\System32\abKUxGgh.ini
C:\Windows\System32\abKUxGgh.ini2
C:\Windows\System32\BdghOXbc.ini
C:\Windows\System32\BdghOXbc.ini2
C:\Windows\system32\byxyYRKE.dll
C:\Windows\system32\cbXRIATJ.dll
C:\Windows\system32\chhhocep.dll
C:\Windows\System32\dLoYGfhk.ini
C:\Windows\System32\dLoYGfhk.ini2
C:\Windows\system32\ecsfjpjl.dll
C:\Windows\System32\EKRYyxyb.ini
C:\Windows\System32\EKRYyxyb.ini2
C:\Windows\system32\eyvmpqud.dll
C:\Windows\System32\fpblwjtt.ini
C:\Windows\System32\fsdxberh.ini
C:\Windows\system32\fwrsqwai.dll
C:\Windows\system32\gebAtspq.dll
C:\Windows\system32\ghaqdkct.dll
C:\Windows\system32\gvtdqgto.ini
C:\Windows\system32\hdcmmeck.ini
C:\Windows\system32\hgGxUKba.dll
C:\Windows\System32\hgmkbtmy.ini
C:\Windows\system32\htjttnbw.dll
C:\Windows\system32\hwekrlpx.dll
C:\Windows\system32\ipcgqwvm.dll
C:\Windows\System32\jiikQqru.ini
C:\Windows\System32\jiikQqru.ini2
C:\Windows\system32\jsixpmec.dll
C:\Windows\System32\JTAIRXbc.ini
C:\Windows\System32\JTAIRXbc.ini2
C:\Windows\system32\jusched.exe
C:\Windows\system32\kcemmcdh.dll
C:\Windows\system32\khfGYoLd.dll
C:\Windows\system32\ksvjhdeh.ini
C:\Windows\System32\lbhranpy.ini
C:\Windows\system32\lhwrhpwf.dll
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\mtlgunqc.dll
C:\Windows\System32\oqpsealq.ini
C:\Windows\system32\orBJjmSs.ini
C:\Windows\System32\orBJjmSs.ini2
C:\Windows\system32\otgqdtvg.dll
C:\Windows\system32\paarrvns.dll
C:\Windows\system32\pewlsbfm.dll
C:\Windows\System32\qpstAbeg.ini
C:\Windows\System32\qpstAbeg.ini2
C:\Windows\System32\quejmuvv.ini
C:\Windows\system32\rqRJBrQi.dll
C:\Windows\system32\sSmjJBro.dll
C:\Windows\System32\tbirdhux.ini
C:\Windows\system32\urqNFvvU.dll
C:\Windows\system32\urqQkiij.dll
C:\Windows\System32\UvvFNqru.ini
C:\Windows\System32\UvvFNqru.ini2
C:\Windows\system32\voiuuyhv.dll
C:\Windows\system32\vrfducwg.ini
C:\Windows\system32\wvUKawvS.dll
C:\Windows\system32\wvUoPHyw.dll
C:\Windows\System32\wyHPoUvw.ini
C:\Windows\System32\wyHPoUvw.ini2
C:\Windows\system32\xfcjduiy.dll
C:\Windows\system32\yilhauoh.dll
C:\Windows\system32\ypnarhbl.dll
----- BITS: Possible infected sites -----
http://ceement.rssx.hp.com
.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.
2008-08-12 19:41 . 2008-08-12 19:41 <DIR> dr-h----- C:\Users\User\AppData\Roaming\SecuROM
2008-08-12 19:41 . 2008-08-12 19:41 107,888 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-12 18:26 . 2008-08-12 18:26 <DIR> d-------- C:\Windows\System32\AGEIA
2008-08-12 18:26 . 2008-08-12 18:26 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-12 18:15 . 2008-08-12 18:15 <DIR> d-------- C:\Program Files\ValuSoft
2008-08-12 18:15 . 2008-08-12 18:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-12 08:25 . 2008-08-12 08:25 2,048 --a------ C:\Windows\System32\uwgpkvia.exe
2008-08-12 00:13 . 2008-08-12 00:13 <DIR> d-------- C:\Users\User\AppData\Roaming\SystemRequirementsLab
2008-08-12 00:13 . 2008-08-12 00:13 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-08-11 23:19 . 2008-08-11 23:19 2,048 --a------ C:\Windows\System32\cgxwsvvu.exe
2008-08-11 21:45 . 2008-08-11 21:45 2,048 --a------ C:\Windows\System32\mcxxswna.exe
2008-08-11 21:02 . 2008-08-11 21:02 2,048 --a------ C:\Windows\System32\wspmnonx.exe
2008-08-11 19:49 . 2008-08-11 19:49 2,048 --a------ C:\Windows\System32\aasygepw.exe
2008-08-11 19:37 . 2008-08-11 19:37 2,048 --a------ C:\Windows\System32\tvtvlnwi.exe
2008-08-11 18:55 . 2008-08-11 18:55 <DIR> d-------- C:\Users\User\AppData\Roaming\MRTalk
2008-08-11 14:13 . 2008-08-12 21:48 196,608 --a------ C:\Windows\System32\Ikeext.etl
2008-08-11 12:52 . 2008-08-11 12:52 2,048 --a------ C:\Windows\System32\yitpwkme.exe
2008-08-11 08:23 . 2008-08-11 13:54 <DIR> d-------- C:\Users\User\AppData\Roaming\uTorrent
2008-08-11 08:23 . 2008-08-11 08:23 <DIR> d-------- C:\Program Files\uTorrent
2008-08-10 21:53 . 2008-08-10 21:53 0 --a------ C:\Windows\nsreg.dat
2008-08-10 13:53 . 2008-08-10 13:53 2,048 --a------ C:\Windows\System32\vvfnbpce.exe
2008-08-10 10:18 . 2008-08-10 10:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-10 09:33 . 2008-08-10 09:33 <DIR> d-------- C:\VundoFix Backups
2008-08-10 09:14 . 2008-08-10 09:14 2,048 --a------ C:\Windows\System32\rxwrjqla.exe
2008-08-10 08:26 . 2008-08-10 08:26 0 --ah----- C:\ntuser.dat.LOG2
2008-08-10 08:26 . 2008-08-10 08:26 0 --ah----- C:\ntuser.dat.LOG1
2008-08-10 08:26 . 2008-08-10 08:26 0 --a------ C:\ntuser.dat
2008-08-10 07:25 . 2008-08-10 07:25 2,048 --a------ C:\Windows\System32\yyoeptok.exe
2008-08-09 20:53 . 2008-08-09 20:53 42 --a------ C:\Windows\System32\Jiii_PNUCT.pnc
2008-08-09 20:52 . 2008-08-09 20:52 42 --a------ C:\Windows\System32\AK083E209605E394C.lie
2008-08-09 20:41 . 2008-08-09 21:10 <DIR> d-------- C:\Program Files\Perfect Uninstaller
2008-08-09 09:19 . 2008-08-09 13:22 <DIR> d-------- C:\Users\User\AppData\Roaming\RegClean
2008-08-09 09:18 . 2008-08-10 20:11 <DIR> d-------- C:\Program Files\RegClean
2008-08-09 09:06 . 2008-08-09 09:14 <DIR> d-------- C:\Program Files\~ Rogue Software BANNED ~
2008-08-09 07:12 . 2008-08-09 07:12 2,048 --a------ C:\Windows\System32\oiirgapi.exe
2008-08-09 06:36 . 2008-08-09 06:36 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-08 22:21 . 2008-08-08 22:21 94,208 --a------ C:\Windows\System32\drivers\ezplay.sys
2008-08-08 22:20 . 2008-08-08 22:20 47,360 --a------ C:\Windows\System32\drivers\pcouffin.sys
2008-08-08 18:48 . 2008-08-09 21:16 <DIR> d-------- C:\Users\User\AppData\Roaming\Microsoft Game Studios
2008-08-08 18:48 . 2008-08-09 21:16 <DIR> d-------- C:\Users\All Users\Microsoft Games
2008-08-08 18:48 . 2008-08-09 21:16 <DIR> d-------- C:\ProgramData\Microsoft Games
2008-08-08 18:47 . 2008-08-08 18:47 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-08-08 18:43 . 2008-08-08 18:43 <DIR> d-------- C:\Users\User\AppData\Roaming\DAEMON Tools
2008-08-08 18:43 . 2008-08-08 18:43 717,296 --a------ C:\Windows\System32\drivers\sptd.sys
2008-08-08 18:25 . 2008-08-08 18:25 <DIR> d-------- C:\Program Files\PowerISO
2008-08-08 13:29 . 2008-08-08 13:32 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-08-08 12:34 . 2008-08-08 12:34 <DIR> dr------- C:\Users\User\AppData\Roaming\Brother
2008-08-08 12:08 . 2008-08-08 12:08 <DIR> d-------- C:\Windows\Sun
2008-08-08 11:37 . 2008-08-08 11:37 <DIR> d-------- C:\Users\User\AppData\Roaming\vlc
2008-08-08 08:18 . 2008-08-08 08:18 <DIR> d-------- C:\Program Files\VideoLAN
2008-08-08 07:20 . 2008-08-08 07:20 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-08-07 19:47 . 2008-08-12 21:41 <DIR> d-------- C:\Downloads
2008-08-07 19:44 . 2008-08-07 19:44 <DIR> d-------- C:\Users\User\AppData\Roaming\FlashGet
2008-08-07 19:41 . 2008-08-12 07:15 <DIR> d-------- C:\Program Files\FlashGet
2008-08-07 18:52 . 2008-08-07 18:52 <DIR> d-------- C:\Program Files\Opera
2008-08-07 15:00 . 2008-08-10 18:46 <DIR> d-------- C:\Users\User\AppData\Roaming\Template
2008-08-07 15:00 . 2008-08-07 18:49 418 --a------ C:\Users\User\AppData\Roaming\wklnhst.dat
2008-07-23 18:57 . 2008-06-26 08:33 11,722,752 --a------ C:\Windows\System32\NlsLexicons0001.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 13:20 --------- d-----w C:\Users\User\AppData\Roaming\Skype
2008-08-12 10:59 --------- d-----w C:\Users\User\AppData\Roaming\skypePM
2008-08-12 10:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 01:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-10 01:38 --------- d-----w C:\ProgramData\Symantec
2008-08-10 01:38 --------- d-----w C:\Program Files\Norton Internet Security
2008-08-09 13:16 --------- d-----w C:\Program Files\Microsoft Games
2008-08-08 10:31 --------- d-----w C:\Program Files\Google
2008-08-07 10:36 --------- d-----w C:\Users\User\AppData\Roaming\Yahoo!
2008-07-10 01:09 174 --sha-w C:\Program Files\desktop.ini
2008-07-09 12:41 --------- d-----w C:\Program Files\Windows Mail
2008-07-07 07:40 56,108 ----a-w C:\Windows\system32\drivers\scdemu.sys
2008-07-05 07:21 --------- d-----w C:\Users\User\AppData\Roaming\CyberLink
2008-07-05 07:21 --------- d-----w C:\ProgramData\CyberLink
2008-06-13 06:14 24,112 ----a-w C:\Windows\system32\drivers\SymIMV.sys
2008-06-13 06:14 13,093 ----a-w C:\Windows\system32\drivers\SymRedir.cat
2008-06-13 06:14 1,611 ----a-w C:\Windows\system32\drivers\SymRedir.inf
2008-06-13 06:13 96,432 ----a-w C:\Windows\system32\drivers\symfw.sys
2008-06-13 06:13 41,008 ----a-w C:\Windows\system32\drivers\symndisv.sys
2008-06-13 06:13 38,576 ----a-w C:\Windows\system32\drivers\symids.sys
2008-06-13 06:13 22,320 ----a-w C:\Windows\system32\drivers\symredrv.sys
2008-06-13 06:13 184,240 ----a-w C:\Windows\system32\drivers\symtdi.sys
2008-06-13 06:13 13,616 ----a-w C:\Windows\system32\drivers\symdns.sys
2008-06-12 13:13 --------- d-----w C:\Program Files\Yahoo!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-02-28 23:10 1232896]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 10:21 942080]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 20:35 125440]
"CollaborationHost"="C:\Windows\system32\p2phost.exe" [2006-11-02 20:35 191488]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 23:02 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 23:01 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 19:59 118784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-13 21:58 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-13 21:58 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-13 21:58 81920]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 18:56 54936]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 08:24 54840]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-11-24 20:20 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 14:51 65536]
"FixCamera"="C:\Windows\FixCamera.exe" [2007-02-12 14:50 20480]
"snp325"="C:\Windows\vsnp325.exe" [2007-05-10 13:18 835584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-01 10:49 185896]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-05-29 23:30 1986608]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 15:34 167936]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 23:16 65536]
"tsnp325"="C:\Windows\tsnp325.exe" [2007-04-21 09:36 270336]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 19:26 4874240 C:\Windows\RtHDVCpl.exe]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Azaan.lnk - C:\Islamic\azaan.exe [2008-06-01 11:01:52 649728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EE0304E4-FAC2-4EA2-A64F-DEBABF099D7B}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{3DDAE0D4-26F6-4F70-A473-A1819533C73D}"= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{75CCB33E-DDCB-4E22-A443-90CA7CB6A892}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{94DAEF4F-A3B4-46F7-A688-F03D56BA42E2}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{AFF7423F-8DAE-4518-986E-ACF5EA52E3DC}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B65AC7E3-43BB-4EB9-B7D4-6885AB685A04}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{043081B7-D226-4E69-A327-F6AEF61E07C1}"= Disabled:UDP:C:\Users\User\AppData\Local\Temp\ImInstaller\incredimail_installer.exe:IncrediMail Installer
"{041B756A-68B8-4BF0-8E8A-CD61AEA645A0}"= Disabled:TCP:C:\Users\User\AppData\Local\Temp\ImInstaller\incredimail_installer.exe:IncrediMail Installer
"TCP Query User{F1F04159-3967-4690-9144-65CEF44A8592}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{C31C8ACD-34B0-4727-ACE5-141CECF1EFE2}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"{9552A356-6240-4282-BCBB-D5C7655B60CB}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:�Torrent (TCP-In)
"{EE52EBF6-ACF3-4BC0-B307-D9403C4EE465}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:�Torrent (UDP-In)
"{C569E0D2-8E0F-4C46-8D95-F26D79FC9FED}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{ACD850C7-A536-492F-B46C-1B4CED51CC7D}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{1BA86EA0-CD60-4109-A3C4-73FE33DDB208}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{FFB18A7B-947C-47B4-82D1-D92FAE32F74B}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{E8F007E5-21FE-4130-BC64-09FE5BD2D81D}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{5708ABAB-CB8D-4A7B-8487-26A8A017E7CA}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{2825BD0F-B858-4747-B98E-6D2E83067DC3}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{AECDB4D8-9052-4EB4-B11B-B6C3CC4CE244}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080623.001\IDSvix86.sys [2008-03-21 04:37]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2007-10-01 16:21]
R3 SNP325;USB PC Camera (SNPSTD325);C:\Windows\system32\DRIVERS\snp325.sys [2007-05-07 17:58]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2007-07-24 07:33]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\shell\AutoRun\command - K:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0947c10-120a-11dd-a608-806e6f6e6963}]
\shell\AutoRun\command - E:\autorun.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-08-10 C:\Windows\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean\RegClean.exe []
2008-08-10 C:\Windows\Tasks\RegClean Scheduled Scan.job
- C:\Program Files\RegClean [2008-08-10 20:11]
2008-08-12 C:\Windows\Tasks\User_Feed_Synchronization-{318D6A95-3E16-42B2-90FA-9B20EA1684EA}.job
- C:\Windows\system32\msfeedssync.exe [2006-11-02 17:45]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-MSServer - C:\Windows\system32\rqRJBrQi.dll
HKLM-Run-7042756b - C:\Windows\system32\kcemmcdh.dll
HKLM-Run-BM737146f7 - C:\Windows\system32\mtlgunqc.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1209894330&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_hk&c=81&bd=Pavilion&pf=desktop
O8 -: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 -: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O17 -: HKLM\CCS\Interface\{3F9EED79-2A1D-4336-879D-E51541D9A6A4}: NameServer = 203.198.23.208 205.252.144.126
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 21:49:51
Windows 6.0.6000 NTFS
scanning hidden processes ... scanning hidden autostart entries ...
scanning hidden files ... scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\hp\KBD\kbd.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2008-08-12 21:52:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-12 13:52:14
Pre-Run: 375,655,354,368 bytes free
Post-Run: 376,327,614,464 bytes free
297 --- E O F --- 2008-08-08 22:40:53
OK. Make a text file with the following on the desktop where ComboFix.exe is and call it CFScript.txt
File::
C:\Windows\System32\uwgpkvia.exe
C:\Windows\System32\cgxwsvvu.exe
C:\Windows\System32\mcxxswna.exe
C:\Windows\System32\wspmnonx.exe
C:\Windows\System32\aasygepw.exe
C:\Windows\System32\tvtvlnwi.exe
C:\Windows\System32\yitpwkme.exe
C:\Windows\System32\vvfnbpce.exe
C:\Windows\System32\rxwrjqla.exe
C:\Windows\System32\yyoeptok.exe
C:\Windows\System32\oiirgapi.exe
C:\Windows\System32\Jiii_PNUCT.pnc
C:\Windows\System32\ezsidmv.dat
C:\Users\User\AppData\Roaming\wklnhst.dat
DirLook:: C:\spoolerlogs
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0947c10-120a-11dd-a608-806e6f6e6963}]
Drag and drop the file into ComboFix. Agree to it’s terms and run it. If asked restart immediately.
After this your PC should be clean. But run a scan with Avira just to be sure.
Your CFScript won’t work. It’s File:: without the s.
You could also include Vundofix backups folder:
Folder::
C:\VundoFix Backups
Gah. My mistake
Edited. Thanks Super Sayan
whadya mean drag and drop the file into combo fix? everytime i start it it starts to do its scan thing.
Go here: http://www.softpedia.com/
Do a search for vundo and it will list various vundofix tools you can try.
no offence but i’ve tried alot of tools like that (the ones that are on wikipedias Vundo Page neway) and they dont work…..thanks for the suggestion tho
Combofix works. Worked for me, worked for everyone I know has had the Vundo, or Kavo or similars.
ok but how do you put the file into combofix? everytime i open it, it starts scanning
> To remove the Virtumonde Trojan, please proceed with the following
> steps at your own risk.
>
>
> STEP 1: Clean Temp folders
> Start > All Programs > Accessories > System Tools > Disk Cleanup >
> push OK
>
> STEP 2: Run Vundo Fix.
> Run > Run > Scan for Vundo > Remove Vundo (when scan is completed) >
> Reboot PC
> http://www.atribune.org/ccount/click.php?id=4
>
> STEP 3: Run Virtumundobegone.exe
> Run > Run > Continue > Start > Yes > Reboot (may need to perform
> manual reboot if PC freezes)
> http://secured2k.home.comcast.net/to...undoBeGone.exe
>
> STEP 4: Run Vundo Fix again.
> Run > Run > Scan for Vundo > Remove Vundo (when scan is completed) >
> Reboot PC
> http://www.atribune.org/ccount/click.php?id=4
>
> STEP 5: Hijackthis Log
> Save to Desktop > Double click on icon 'hijackthis' > Run > 'Do a
> system scan only and save logfile' > save log in notepad and attach to
> e-mail.
> http://nod32-av.com/utilities/HiJack...hijackthis.exe
>
> STEP 6: Run ComboFix USE THIS STEP WITH CAUTION!!!!!
> Save to Desktop > Double click on icon 'combofix' > Run
> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
>
>
>
> STEP 7: Run Vundo Fix again.
> Run > Run > Scan for Vundo > Remove Vundo (when scan is completed) >
> Reboot PC
> http://www.atribune.org/ccount/click.php?id=4
>
> STEP 8: Smitfraudfix
> Save to Desktop > Double click on icon 'smitfraudfix' > Run > Option 2
> http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Hey bro
Please Go to this link and Download VundoFix by attribune.
http://www.atribune.org/ccount/click.php?id=4
Run it in safe mode if you can. Just run and clean thats all. Edit: argg ^^ got to it before me just noticed.
whadya mean drag and drop the file into combo fix? everytime i start it it starts to do its scan thing.
Like this:
And yeah, it starts the scan over again, but it targets the files TheDA listed.
i had this before and spybot got rid of it. i had vundo then virtumonde and it killed them both !
thanx guys