possible vundo infection and more!

[firerooster]

My microsoft automatic updates will not turn on and my security settings are being controlled by something. It turns my pop-up blocker off, and puts my security settings on the lowest level. I've detected the trojan..w32/trojan3.gv in c:documents and settings\doug\localsettings\temp\tdssa38e.tmp. any help would be greatly appreciated. Copy and pasted below is the dds text. thank you.


DDS (Version 1.0) - NTFSx86
Run by Doug at 14:54:56.76 on Sat 11/15/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.522 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Bell\Security Manager\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doug\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://news.google.ca/nwshp?hl=en&tab=wn
uWindow Title = Microsoft Internet Explorer provided by Sympatico
uInternet Settings,ProxyOverride = *.local
BHO: {48b8d8bc-3214-45d1-b40d-3c69f4de6a7a} - c:\windows\system32\nrljyr.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9BDE042A-C2CA-42BA-90C9-89EEED379B65} - c:\windows\system32\cbXNHXQI.dll
BHO: {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - c:\windows\system32\yayASkij.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {E12E2C5E-1CE9-E765-2966-CEE7A65A5338} - c:\windows\system32\rtuhwvvirayizpn.dll
BHO: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [P2kAutostart]
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [EPSON Stylus CX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticaa.exe /fu "c:\windows\temp\E_S127.tmp" /EF "HKCU"
uRun: [prunnet] "c:\windows\system32\prun.exe"
uRunOnce: [IndexCleaner] "c:\program files\bell\security manager\IdxClnR.exe"
mRun: [LTMSG] LTMSG.exe 7
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AtiPTA] Atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [SSA.exe] "c:\program files\bell\sympatico security advisor\SSA.exe" /AUTORUN
mRun: [Sympatico Security Manager] "c:\program files\bell\security manager\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\bell\security manager\ZkRunOnceR.exe"
mRun: [prunnet] "c:\windows\system32\prun.exe"
mRun: [qvqrqpdzkbpc] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\rtuhwvvirayizpn.dll"
mRun: [7caf86ba] rundll32.exe "c:\windows\system32\iksajbtj.dll",b
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRunOnce: [IndexCleaner] "c:\program files\bell\security manager\IdxClnR.exe"
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mExplorerRun: [Lsass Service] c:\documents and settings\doug\application data\microsoft\windows\lsass.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer for hdd camcorder\IMx3Launcher.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: yayASkij - yayASkij.dll
AppInit_DLLs: nrljyr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - c:\windows\system32\yayASkij.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXNHXQI

============= SERVICES / DRIVERS ===============

R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\personal vault\VaultClientUpgrade.exe
S1 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys
S2 AtiBt829;ATI WDM Bt829 Video;c:\windows\system32\drivers\atinbtxx.sys
S2 ATITVAUDIO;ATI WDM TV Audio;c:\windows\system32\drivers\atinsnxx.sys
S2 ATIXBAR;ATI WDM Audio Video Crossbar;c:\windows\system32\drivers\atinxbxx.sys
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys
S3 Radialpoint Security Services;Sympatico Security Manager;"c:\program files\bell\security manager\RpsSecurityAware.exe"

=============== Created Last 30 ================

2008-11-15 14:28 250 a------- c:\windows\gmer.ini
2008-11-14 17:35 1,594,113 ---sh--- c:\windows\system32\jtbjaski.ini
2008-11-14 17:35 70,656 a------- c:\windows\system32\iksajbtj.dll
2008-11-14 17:32 104,448 a------- c:\windows\system32\nrljyr.dll
2008-11-14 17:32 104,448 a------- c:\windows\system32\idiwxeeb.dll
2008-11-13 17:45 104,448 a------- c:\windows\system32\zedawu.dll
2008-11-13 17:45 104,448 a------- c:\windows\system32\hinhuuap.dll
2008-11-13 17:43 55,808 a------- c:\windows\system32\drivers\TDSSserv.sys
2008-11-13 17:38 104,448 a------- c:\windows\system32\zlxuiy.dll
2008-11-13 17:38 104,448 a------- c:\windows\system32\fplnjiqf.dll
2008-11-13 17:35 29,696 a------- c:\windows\system32\av.dat
2008-11-13 17:35 2,276 a------- c:\windows\system32\TDSSlxwp.dll
2008-11-13 17:35 73,728 a------- c:\windows\system32\TDSSxfum.dll
2008-11-13 17:35 527 a------- c:\windows\system32\TDSSosvd.dat
2008-11-13 17:34 35,840 a------- c:\windows\system32\TDSSoiqh.dll
2008-11-13 17:31 1,594,095 ---sh--- c:\windows\system32\qpuytrdw.ini
2008-11-13 16:28 1,561,561 ---sh--- c:\windows\system32\fewktbyq.ini
2008-11-13 16:28 70,144 -------- c:\windows\system32\qybtkwef.dll
2008-11-13 16:26 104,448 a------- c:\windows\system32\rdumfq.dll
2008-11-13 16:26 104,448 a------- c:\windows\system32\ugcovcmw.dll
2008-11-12 16:06 13,560 a---h--- c:\windows\system32\mlfcache.dat
2008-11-12 05:33 77,824 a------- c:\windows\system32\xvid.ax
2008-11-12 05:33 180,224 a------- c:\windows\system32\xvidvfw.dll
2008-11-12 05:33 <DIR> --d----- c:\program files\Xvid
2008-11-11 23:48 1,561,561 ---sh--- c:\windows\system32\yqgubktb.ini
2008-11-11 23:48 70,144 -------- c:\windows\system32\btkbugqy.dll
2008-11-11 23:45 104,448 a------- c:\windows\system32\vmlppn.dll
2008-11-11 23:45 104,448 a------- c:\windows\system32\fnaxaoth.dll
2008-11-11 21:47 79,094 a------- c:\windows\system32\yhnnesgevye.exe
2008-11-11 21:46 <DIR> --d----- c:\temp\1cb
2008-11-11 21:46 <DIR> --d----- c:\windows\system32\vc1
2008-11-11 21:46 <DIR> --d----- c:\windows\system32\RS
2008-11-11 21:46 <DIR> --d----- c:\windows\system32\ce2
2008-11-11 21:46 <DIR> --d----- c:\windows\system32\up3
2008-11-11 21:45 1,561,552 ---sh--- c:\windows\system32\kqhiaagi.ini
2008-11-11 21:45 104,448 a------- c:\windows\system32\yrlnzb.dll
2008-11-11 21:45 104,448 a------- c:\windows\system32\bjxogmfk.dll
2008-11-11 21:44 619,410 a--sh--- c:\windows\system32\IQXHNXbc.ini2
2008-11-11 21:44 619,410 a--sh--- c:\windows\system32\IQXHNXbc.ini
2008-11-11 21:44 245,248 a------- c:\windows\system32\cbXNHXQI.dll
2008-11-11 21:42 <DIR> --d----- c:\docume~1\doug\applic~1\gadcom
2008-11-11 21:38 60,928 a--sh--- c:\windows\system32\opnMdbAS.dll
2008-11-11 21:37 104,448 -------- c:\windows\system32\yayASkij.dll
2008-11-11 21:37 <DIR> --d----- c:\windows\system32\QI19
2008-11-11 21:37 <DIR> --d----- c:\temp\NT32
2008-11-11 21:37 <DIR> --d----- C:\Temp
2008-11-11 21:37 <DIR> --d----- c:\docume~1\doug\applic~1\mIRC
2008-11-11 21:37 <DIR> --d----- c:\program files\mIRC
2008-10-26 09:22 800 a------- c:\windows\system32\PDBootState
2008-10-23 12:22 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll

==================== Find3M ====================

2008-11-13 17:22 <DIR> --d----- c:\program files\common files\Scanner
2008-10-28 16:30 <DIR> --d----- c:\docume~1\doug\applic~1\MSN6
2008-10-14 07:39 171,520 a------- c:\windows\system32\rtuhwvvirayizpn.dll
2008-09-29 13:44 <DIR> --d----- c:\program files\Raxco
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-08-29 15:06 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-25 23:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-10 18:36 <DIR> --d----- c:\docume~1\doug\applic~1\Bell
2008-08-10 18:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Bell
2008-06-03 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2008-04-23 17:06 <DIR> --d----- c:\docume~1\doug\applic~1\Pixela
2008-01-16 19:04 <DIR> --d----- c:\docume~1\doug\applic~1\FastStone
2008-01-09 13:31 <DIR> --d----- c:\docume~1\doug\applic~1\MSNInstaller
2008-01-09 11:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Windows Live Toolbar
2008-01-09 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2008-01-02 10:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2007-12-31 18:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ahead

============= FINISH: 14:56:26.51 ===============

[sjb007]

Hi there firerooster

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Please copy and paste any requested logs into replies rather than add as attachments, this makes it easier for analysis.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[firerooster]

Thank You for replying to my request. Please disregard my request for the time being, I hope I haven't wasted too much of your time. I also hope I'm ok to post a request in the future, I do appreciate the help.

Thanks.....DW

[sjb007]

Hi there,

Consider it done! I will consider this issue as resolved and stop monitoring it for further replies. If you should need further help then please start a new topic.

Thanks and regards.