Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page VundoFix can't remove Vundo even in safe mode :(

        
Join Tech Support Forum Today

 
Page 1 of 3 1 23
 
Thread Tools Search this Thread


Old 07-22-2007, 09:15 PM   #1
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


VundoFix can't remove Vundo even in safe mode :(
Hello, first of all thanks a lot for your help and time!
After running Ad-aware scan I found cbxxy.dll in my computer. I read I should run VundoFix. I ran it several times even in safe mode. I think it rebooted my computer six times, but it couldn't erase it.
Also, I have Norton Personal Firewall, but all of the sudden it is permanently disabled :( and I can't seem to enable it anyway... I've tried several things but it's not working... My computer is getting too slow and the sound is failing in times...

Again thanks a lot for the help :).

Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:55:58, on 22/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\NMain.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Jazmin')
O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1006\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe" (User 'Jazmin')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing)
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 8841 bytes

__________________
Rei is offline  
Old 07-24-2007, 09:49 AM   #2
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

  1. Download combofix.exe to your desktop.

    ---------------------------------------------------------------------------------------------
  2. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

    Close HijackThis now.

    ---------------------------------------------------------------------------------------------

  3. Double click on combofix.exe & follow the prompts.
  4. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-28-2007, 08:48 AM   #3
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
Hello!

First of all, thank you very much for your help and attention. I did what you asked me. Here is the ComboFix log:


ComboFix 07-07-27.6 - "Alith" 2007-07-28 9:10:20.1 [GMT -6:00] - FAT32 [SAFE MODE]
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\gcqerbgw.dll
C:\WINDOWS\system32\jvupucfo.dll
C:\WINDOWS\system32\sdvxloyg.dll
C:\WINDOWS\system32\mqtbxyrr.exe
C:\WINDOWS\system32\gcqerbgw.dll
C:\WINDOWS\system32\wineti32.dll
C:\WINDOWS\system32\yxxbc.bak2
C:\WINDOWS\system32\yxxbc.ini
C:\WINDOWS\system32\tuvvspq.dll
C:\WINDOWS\system32\cbxxy.dll
C:\WINDOWS\system32\tuvvspq.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\tuvvspq.dll
C:\WINDOWS\system32\cbxxy.dll
C:\WINDOWS\system32\tuvvspq.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Archivos de programa\inetget2
C:\Archivos de programa\inetget2\popinstall.exe
C:\DOCUME~1\Alith\DATOSD~1.\macromedia\Flash Player\#SharedObjects\BLY98RKL\www.broadcaster.com
C:\DOCUME~1\Alith\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Alith\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\ALLUSE~1\DATOSD~1\WinAntiVirus Pro 2006
C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006
C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\Logs\update.log
C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\JAZMIN\DATOSD~1\WinAntiVirus Pro 2006\PGE.dat
C:\WINDOWS\b122.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\retadpu2000352.exe
C:\WINDOWS\system32\stera.job


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\vspf


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))


2007-07-28 08:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 16:23 126,016 --a------ C:\WINDOWS\system32\loorvogp.dll
2007-07-27 15:58 13,312 --a------ C:\WINDOWS\system32\s2f.exe
2007-07-26 16:40 70,312 --a------ C:\Archivos de programa\codec_setup.exe
2007-07-26 16:18 126,016 --a------ C:\WINDOWS\system32\moovsnta.dll
2007-07-25 16:30 10,240 --a------ C:\WINDOWS\system32\hlpsrv.exe
2007-07-22 19:54 <DIR> d-------- C:\VundoFix Backups
2007-07-22 19:17 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\TuneUp Software
2007-07-22 18:49 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\Lavasoft
2007-07-21 16:23 266,336 --------- C:\WINDOWS\system32\cbxxy.dll
2007-07-21 16:22 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-07-21 16:22 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-07-21 16:11 <DIR> d-------- C:\Archivos de programa\Audio FlashCards (Japanese)
2007-07-21 14:50 31,254 --------- C:\WINDOWS\system32\tuvvspq.dll
2007-07-21 14:29 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-07-21 14:29 <DIR> d-------- C:\Archivos de programa\DAEMON Tools
2007-07-21 14:21 96,256 --a------ C:\WINDOWS\system32\drivers\sptd8509.sys
2007-07-21 14:21 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-03 15:31 <DIR> d-------- C:\DOCUME~1\Jazmin\Contacts
2007-07-03 14:15 <DIR> d-------- C:\DOCUME~1\Jazmin\Incomplete
2007-07-03 14:14 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\LimeWire
2007-07-01 21:50 <DIR> d-------- C:\Archivos de programa\Silkroad
2007-06-29 14:58 <DIR> d-------- C:\DOCUME~1\Jazmin\DATOSD~1\uTorrent


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 09:28 4672 --a------ C:\WINDOWS\system32\uqipwytd.exe
2007-07-28 09:24 12660 --a------ C:\WINDOWS\system32\tablet.dat
2007-07-14 14:26 95380 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-07-14 14:26 503656 --a------ C:\WINDOWS\system32\perfh00A.dat
2007-06-17 16:06 --------- d-------- C:\Archivos de programa\Glidden
2007-06-17 16:05 724992 --a------ C:\WINDOWS\iun600.exe
2007-06-07 18:10 --------- d-------- C:\Archivos de programa\Slide
2007-05-30 10:56 3805 --a------ C:\WINDOWS\mozver.dat
2007-05-28 21:51 --------- d-------- C:\DOCUME~1\Alith\DATOSD~1\SolidDocuments
2007-05-28 21:50 --------- d-------- C:\Archivos de programa\SolidDocuments
2007-05-27 20:45 --------- d-------- C:\Archivos de programa\IrfanView
2007-05-25 19:18 201728 --a------ C:\WINDOWS\system32\Piratas del Caribe En el Fin del Mundo.scr
2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-04-16 10:35 80760 --a------ C:\DOCUME~1\Alith\DATOSD~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}]
2007-07-21 14:50 31254 --------- C:\WINDOWS\system32\tuvvspq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE92AB68-810E-48AD-B489-9AE2B4BC9CEF}]
2007-07-21 16:23 266336 --------- C:\WINDOWS\system32\cbxxy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iamapp"="C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE" [2001-08-30 01:32]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DAEMON Tools"="C:\Archivos de programa\DAEMON Tools\daemon.exe" [2005-12-10 08:57]
"MemoryManager"="C:\WINDOWS\system32\svwoolij.dll" [2007-07-28 09:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:42]
"MsnMsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 17:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{857A461D-8D96-4996-A4A0-AEA0A2535B86}"= C:\WINDOWS\system32\tuvvspq.dll [2007-07-21 14:50 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxy]
C:\WINDOWS\system32\cbxxy.dll 2007-07-21 16:23 266336 C:\WINDOWS\system32\cbxxy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvspq]
tuvvspq.dll 2007-07-21 14:50 31254 C:\WINDOWS\system32\tuvvspq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winblh32]
winblh32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xcttgs]
xcttgs.dll 1980-01-01 00:00 46172 C:\WINDOWS\system32\xcttgs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgs.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Alith^Menú Inicio^Programas^Inicio^HotSync Manager.lnk]
path=C:\Documents and Settings\Alith\Menú Inicio\Programas\Inicio\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Reboot.exe]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Reboot.exe
backup=C:\WINDOWS\pss\Reboot.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3ad8b6d1.exe]
C:\WINDOWS\system32\3ad8b6d1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aouu]
"C:\Archivos de programa\ioca\oubl.exe" -vt yazr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win131E.tmp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Archivos de programa\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Archivos de programa\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Archivos de programa\Trend Micro\Internet Security 2005\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoveWGA]
C:\Documents and Settings\Alith\Escritorio\RemoveWGA.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\slide.exe]
c:\archivos de programa\slide\slide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
"C:\Program Files\webHancer\Programs\whAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"C:\Program Files\webHancer\Programs\whSurvey.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Archivos de programa\Winamp\Winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Archivos de programa\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

R0 PenClass;Pen Class;C:\WINDOWS\system32\drivers\PenClass.sys
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\Drivers\tmtdi.sys
R1 xcttgm;STK Bi 001;\??\C:\WINDOWS\system32\xcttgm.sys
R2 SQLWriter;SQL Server VSS Writer;"C:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 tm_cfw;Common Firewall Driver;C:\WINDOWS\system32\Drivers\tm_cfw.sys
R2 Tmfilter;Tmfilter;C:\WINDOWS\system32\drivers\TmXPFlt.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\system32\drivers\Tmpreflt.sys
R2 Vsapint;Vsapint;C:\WINDOWS\system32\drivers\Vsapint.sys
R3 dtscsi;dtscsi;C:\WINDOWS\system32\Drivers\dtscsi.sys
R3 FETNDIS;Controlador para NT del adaptador Fast Ethernet VIA PCI 10/100Mb;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
R3 ms_mpu401;Controlador UART MIDI Microsoft MPU-401;C:\WINDOWS\system32\drivers\msmpu401.sys
S1 vspf_hk;vspf_hk;\??\C:\WINDOWS\system32\drivers\vspf_hk5.sys
S2 NISSERV;Norton Personal Firewall Service;"C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE"
S2 xcttgs;STK Bi 002;\??\C:\WINDOWS\system32\xcttgm.sys
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 Tomcat6;Apache Tomcat;"C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6
S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service;"C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe"
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
S3 VSPerfDrv;Performance Tools Driver;\??\C:\Archivos de programa\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Archivos de programa\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 SQLBrowser;SQL Server Browser;"C:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
S4 W3stuvc;W3stuvc;C:\WINDOWS\system32\edlin.exe


Contents of the 'Scheduled Tasks' folder
2007-07-27 23:22:32 C:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-28 09:27:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

C:\WINDOWS\SYSTEM32\WINLOGON.EXE [768] 0x812B1DA0
C:\WINDOWS\EXPLORER.EXE [2688] 0x811948B8


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Archivos de programa\MySQL\MySQL Server 4.1\my.ini\" MySQL"

Completion time: 2007-07-28 9:34:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-28 09:34

--- E O F ---
__________________
Rei is offline  
Old 07-28-2007, 11:33 AM   #4
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Hello -

You're quite welcome for the help.

Please also post a new HijackThis log, as requested, to help me help you.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-28-2007, 01:32 PM   #5
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
Oops my mistake, here it goes!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:30:11, on 28/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\uqipwytd.exe
C:\WINDOWS\system32\gsevxglp.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunOnce: [svg_file_op1] FileOps.exe -r "C:\Archivos de programa\Archivos comunes\Adobe\SVG Viewer 3.0\Uninstall"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Sergio')
O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Jazmin')
O4 - HKUS\S-1-5-21-117609710-1957994488-1060284298-1010\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Rita')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing)
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 7622 bytes
__________________
Rei is offline  
Old 07-28-2007, 01:33 PM   #6
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
By the way, firefox wasn't open while I run the scan...
__________________
Rei is offline  
Old 07-28-2007, 03:16 PM   #7
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

webHancer

Do NOT reboot if it's requested.

---------------------------------------------------------------------------------------------

Please do this in Normal Mode, not Safe Mode. I did not ask you to run ComboFix in Safe Mode.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\3ad8b6d1.exe
C:\WINDOWS\system32\tuvvspq.dll
C:\WINDOWS\system32\svwoolij.dll
C:\WINDOWS\system32\cbxxy.dll
C:\WINDOWS\system32\xcttgs.dll
C:\WINDOWS\system32\xcttgm.sys
C:\WINDOWS\system32\drivers\vspf_hk5.sys
C:\WINDOWS\system32\loorvogp.dll
C:\WINDOWS\system32\s2f.exe
C:\Archivos de programa\codec_setup.exe
C:\WINDOWS\system32\moovsnta.dll
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\cbxxy.dll
C:\WINDOWS\system32\tuvvspq.dll
C:\WINDOWS\system32\uqipwytd.exe

Folder::
C:\Program Files\webHancer
C:\VundoFix Backups

Driver::
xcttgm
xcttgs
vspf_hk

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE92AB68-810E-48AD-B489-9AE2B4BC9CEF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MemoryManager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{857A461D-8D96-4996-A4A0-AEA0A2535B86}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvspq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winblh32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xcttgs]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgm.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgs.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xcttgm.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xcttgs.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3ad8b6d1.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aouu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------


Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-29-2007, 11:03 AM   #8
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
Hello!

First, I didn't find WebHancer among the list of installed programs.
I'm having a problem with ComboFix. When I drop the CFScript.txt file to it, it begins an AutoScan.. When it ends it reboots the computer but when I log in again ComboFix doesn't run, and the script has disappeared. Therefore it doesn't create a log.. I am not sure why does this happen...

What should I do?

Thanks
__________________
Rei is offline  
Old 07-29-2007, 11:47 AM   #9
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Please locate this file:

C:\ComboFix.txt

and post it.

Also tell me if this folder exists:

C:\ComboFix
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-29-2007, 12:20 PM   #10
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
In C:/ all I can see is ComboFix2.txt, that's the log I had copied here the first time I ran ComboFix.

The folder ComboFix exists and inside there's a ComboFix.txt, here it is:

ComboFix 07-07-28.5 - "Alith" 2007-07-29 11:50:01.6 [GMT -6:00] - FAT32
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero
Command switches used :: C:\Documents and Settings\Alith\Escritorio\CFScript.txt
* Created a new restore point
__________________
Rei is offline  
Old 07-29-2007, 01:33 PM   #11
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Hello, Rei -

I need to consult with the tool's author. Please be patient with me, and I'll get back to you as soon as I can.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-29-2007, 02:02 PM   #12
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
Hello again!

Please don't worry and take your time. My computer is quite much better since I ran ComboFix. Thank you for your help, I'll be waiting :)
__________________
Rei is offline  
Old 07-29-2007, 03:37 PM   #13
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Hello, Rei -

Please recreate the script from Post #7, and perform the same steps once again.

Report back with your results from that step, the log produced, and a new HijackThis log.

Here it is again:

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\3ad8b6d1.exe
C:\WINDOWS\system32\tuvvspq.dll
C:\WINDOWS\system32\svwoolij.dll
C:\WINDOWS\system32\cbxxy.dll
C:\WINDOWS\system32\xcttgs.dll
C:\WINDOWS\system32\xcttgm.sys
C:\WINDOWS\system32\drivers\vspf_hk5.sys
C:\WINDOWS\system32\loorvogp.dll
C:\WINDOWS\system32\s2f.exe
C:\Archivos de programa\codec_setup.exe
C:\WINDOWS\system32\moovsnta.dll
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\cbxxy.dll
C:\WINDOWS\system32\tuvvspq.dll
C:\WINDOWS\system32\uqipwytd.exe

Folder::
C:\Program Files\webHancer
C:\VundoFix Backups

Driver::
xcttgm
xcttgs
vspf_hk

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE92AB68-810E-48AD-B489-9AE2B4BC9CEF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MemoryManager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{857A461D-8D96-4996-A4A0-AEA0A2535B86}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvspq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winblh32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xcttgs]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgm.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgs.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xcttgm.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xcttgs.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3ad8b6d1.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aouu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------


Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-29-2007, 04:16 PM   #14
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
I performed the steps again.
This time before rebooting, the AutoScan windows displayed the file names (which haven't been shown before), but again after rebooting it didn't run... The ComboFix.txt file is this:

ComboFix 07-07-28.5 - "Alith" 2007-07-29 16:59:07.7 [GMT -6:00] - FAT32
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero
Command switches used :: C:\Documents and Settings\Alith\Escritorio\CFScript.txt
* Created a new restore point

And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10, on 2007-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing)
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 7012 bytes
__________________
Rei is offline  
Old 07-29-2007, 05:08 PM   #15
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Please read these instructions carefully, and ask any questions you might have before proceeding. Take care to follow the instructions precisely.

Delete your existing version of ComboFix.

Download a new copy of combofix.exe to your desktop. --> << click here >>

Then download this file --> << click here >>

There's 2 files within:
  • 1.exe
  • 2.exe
Extract the files (right click and select extract all) & place them next to ComboFix.exe on your desktop.

Do not run ComboFix.exe.

Instead run 1.exe first by doubleclicking it. A black DOS window shall appear.
If it runs to completion, a ComboFix.txt log will be produced. In that case, there shall be no need to run 2.exe.

If the DOS window from 1.exe doesn't produce log after 15 minutes OR if the DOS window closes on it's own without producing a log, RUN 2.exe (without closing the first window). It shall produce a zipped file named catchme.zip which will be located on your Desktop

This catchme.zip must be uploaded to here : http://www.bleepingcomputer.com/subm....php?channel=4
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-30-2007, 05:37 PM   #16
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
Hi,

I followed the instructions, and this was the result. I ran 1.exe and after five or six minutes my computer rebooted and when I logged in again the window didn't appear again or anything else. Then I ran 2.exe but it didn't generate a zip file. I saw some sort of error message before the console with 2.exe disappeared, it was in Spanish so I am not sure how is the correct translation.. It says something like the command can't be recognized as an executable file or program.. I've seen that error when I try to run a program that doesn't exist.
__________________
Rei is offline  
Old 07-30-2007, 05:53 PM   #17
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
The exact error message would be helpful.

I'm not sure why ComboFix ran successfully the first time, and not since then.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-30-2007, 06:02 PM   #18
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
This is what it says exactly:

"sed" no se reconoce como un comando interno o externo, programa o archivo por lotes ejecutable

Translation: "sed" is not recognized as an internal or external command, program or executable file.

About ComboFix, the only different thing is that the first time I ran it in Safe Mode. Not sure why I apologize. But besides that nothing else changed.
__________________
Rei is offline  
Old 07-30-2007, 06:14 PM   #19
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,213
OS: 2000 Pro; XP Pro; XP Home; Win7 x86 & x64


Re: VundoFix can't remove Vundo even in safe mode :(
Thanks, Rei. I'm sure that will be helpful.

I once again need to consult with the tool author.

For now, can you please do this:

I'd like you to rename HijackThis.exe to peek.exe.
  • Navigate to C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
  • Right click on HijackThis.exe
  • Select 'Rename'
  • Type in peek.exe
  • Press Enter.

Then run a new scan with HijackThis, save the log and post it.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
tetonbob is offline  
Old 07-30-2007, 06:33 PM   #20
Rei
Registered Member
 
Join Date: Jul 2007
Location: Neverland
Posts: 26
OS: WinXP


Re: VundoFix can't remove Vundo even in safe mode :(
Here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:32, on 2007-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Archivos de programa\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Winamp\winamp.exe
C:\Archivos de programa\Trend Micro\HijackThis\peek.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0772EA0F-890F-4B21-BF0B-220CCDA54DC5} - C:\WINDOWS\system32\cbxxy.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {857A461D-8D96-4996-A4A0-AEA0A2535B86} - C:\WINDOWS\system32\tuvvspq.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [iamapp] C:\Archivos de programa\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jngimsqh.dll",forkonce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCR2404.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B33AE5F-D804-429D-82BB-175B38CB7BA5}: NameServer = 208.133.206.44,208.133.206.59
O20 - Winlogon Notify: cbxxy - C:\WINDOWS\system32\cbxxy.dll
O20 - Winlogon Notify: tuvvspq - C:\WINDOWS\SYSTEM32\tuvvspq.dll
O20 - Winlogon Notify: winblh32 - winblh32.dll (file missing)
O20 - Winlogon Notify: xcttgs - C:\WINDOWS\SYSTEM32\xcttgs.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Archivos de programa\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MySQL - Unknown owner - C:\Archivos.exe (file missing)
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Archivos de programa\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 7926 bytes

__________________
Rei is offline  
 
Page 1 of 3 1 23

« Vundo Trojan ddaya | please check my hjt log, malware present. »
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
unable to start windows mc900 Windows XP Support 8 10-23-2006 11:22 PM
Win98 stuck in safe mode lizzie28 Win 98 & ME Support 4 10-07-2006 08:57 AM
Slow Shutdown Daniel89 Windows XP Support 15 12-02-2005 06:30 AM
Websiteviewer-Please help Cropduster Inactive Malware Help Topics 14 01-08-2005 05:09 PM

Post a Question




All times are GMT -7. The time now is 02:00 AM.

Contact Us - Tech Support Forum - Site Map - Community Rules - Terms of Service - Privacy - Privacy Statement - Top

Copyright 2001 - 2012, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security