Vundo.H disabled all network settings

rlakers · 03-29-2009, 01:12 AM

Ran several programs to remove Vundo but now I cannot get my network card to load the driver rendering me unable to connect to the internet. Net Card, Wan miniports all have an exclamation point in Device Manager Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39). De-Install and Re-Install gives the same results.

DDS log shows:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Ernie at 23:37:14.03 on 2009-03-28
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.118 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ernie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117240716265
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-26 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-26 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-26 55640]
S1 ced99ec8;ced99ec8;c:\windows\system32\drivers\ced99ec8.sys --> c:\windows\system32\drivers\ced99ec8.sys [?]
S3 botdrv;botdrv;\??\c:\documents and settings\ernie\driver.sys --> c:\documents and settings\ernie\driver.sys [?]

=============== Created Last 30 ================

2009-03-27 16:28 <DIR> --d----- c:\program files\Trend Micro
2009-03-27 16:09 <DIR> --d----- c:\docume~1\ernie\applic~1\Malwarebytes
2009-03-27 16:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 16:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 16:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-27 16:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 16:01 161,792 a------- c:\windows\SWREG.exe
2009-03-27 16:01 98,816 a------- c:\windows\sed.exe
2009-03-27 16:01 388,608 a------- c:\windows\system32\CF27811.exe
2009-03-27 16:00 26,496 a------- c:\windows\system32\dllcache\usbstor.sys
2009-03-26 18:58 40,448 a------- c:\windows\Sfoyobubobo.dll
2009-03-26 18:58 40,448 a------- C:\igkrrk.exe
2009-03-26 15:33 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-26 15:33 <DIR> --d----- c:\program files\Avira
2009-03-26 15:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

==================== Find3M ====================

2009-03-26 18:58 14,336 a------- c:\windows\system32\SVCHOST.EXE
2009-03-26 18:58 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-03-26 15:20 702 a------- c:\docume~1\ernie\applic~1\wklnhst.dat

============= FINISH: 23:37:35.68 ===============

rlakers · 04-01-2009, 08:55 PM

BUMP Please......!!

tetonbob · 04-02-2009, 10:04 AM

Hello, rlakers -

A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix

Since you have....did it produce a log? If so, and it's been closed, the log will be located at C:\ComboFix.txt

Please post it.

I'm not sure fixing what I do see will resolve the network/internet issues, but this will be a start.

rlakers · 04-02-2009, 08:25 PM

Lesson learned. The log I found is:

ComboFix 09-03-06.02 - Ernie 2009-03-27 16:01:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.274 [GMT -8:00]
Running from: E:\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

should I run it again now that you have the initial logs?

tetonbob · 04-02-2009, 08:51 PM

No.

What I'd like you to do is delete it, and then download a fresh copy from the link I'll give. Transfer it to the affected machine, disable protections such as AntiVirus and AntiSpyware.

This fix will not work without the Windows Recovery Console installed. In addition to the ComboFix version I'll link you to, you'll need to download the Recovery Console package from the link I give you. Since you stated you don't have internet connection on the machine, this is what we have to do. If for some reason internet has been restored, do NOT allow this version of ComboFix to update itself if requested.

This machine does not have the Windows XP Recovery Console installed.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Please do this:

Download the version of ComboFix from this link

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Download this file:

http://www.microsoft.com/downloads/d...displaylang=en

Download the file & save it as it's originally named, next to KittyFix.exe.

I see you've run Combo-Fix from a USB drive. That can work, but it would be better and easier if you transfer both files to desktop for the next step.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.

If that's not possible...ensure both files are on your E drive.

Run this command from Start > Run

"E:\KittyFix.exe" "E:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe"

Where E: is still the drive letter of your USB drive.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes. Post the log produced.

rlakers · 04-02-2009, 09:46 PM

ComboFix 09-04-01.03 - Ernie 2009-04-02 20:27:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.305 [GMT -8:00]
Running from: c:\documents and settings\Ernie\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\Ernie\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_botdrv
-------\Legacy_icf
-------\Service_botdrv

((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.

2009-03-28 21:43 . 2009-03-28 21:43 <DIR> d-------- c:\documents and settings\Ernie\Application Data\CyberLink
2009-03-28 21:12 . 2009-03-28 21:13 80 --a------ c:\documents and settings\Regina\Application Data\wklnhst.dat
2009-03-28 20:58 . 2009-03-28 20:58 <DIR> d-------- c:\documents and settings\Regina\Application Data\Malwarebytes
2009-03-27 16:28 . 2009-03-27 16:28 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\Ernie\Application Data\Malwarebytes
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 16:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-27 16:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-27 16:00 . 2004-08-03 23:08 26,496 --a------ c:\windows\SYSTEM32\DLLCACHE\usbstor.sys
2009-03-26 18:58 . 2009-03-26 18:58 40,448 --a------ c:\windows\Sfoyobubobo.dll
2009-03-26 18:58 . 2009-03-26 18:58 40,448 --a------ C:\igkrrk.exe
2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\program files\Avira
2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-26 15:33 . 2009-02-13 11:31 55,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgntflt.sys
2009-03-26 15:32 . 2009-03-26 15:32 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\program files\NOS
2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 23:48 --------- d--ha-w c:\documents and settings\All Users\Application Data\GTek
2009-03-27 23:48 --------- d--h--w c:\documents and settings\Regina\Application Data\Gtek
2009-03-27 23:48 --------- d--h--w c:\documents and settings\Ernie\Application Data\Gtek
2009-03-27 02:37 --------- d-----w c:\program files\Play65
2009-03-27 02:29 --------- d-----w c:\program files\America Online 9.0
2009-03-27 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-26 23:31 --------- d-----w c:\program files\Common Files\Adobe
2009-03-26 23:20 702 ----a-w c:\documents and settings\Ernie\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-26 108289]
S1 ced99ec8;ced99ec8;c:\windows\system32\drivers\ced99ec8.sys --> c:\windows\system32\drivers\ced99ec8.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 20:36:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\NETDDE.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-04-02 20:38:27 - machine was rebooted [Ernie]
ComboFix-quarantined-files.txt 2009-04-03 04:38:25

Pre-Run: 26,670,411,776 bytes free
Post-Run: 26,610,118,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

106

Thank you for your quick response on this. I appreciate it very much and once again, I apologize for my jumping ahead.

tetonbob · 04-02-2009, 09:58 PM

Hi rlakers -

That looks good. There's still more work to do, but.........

Before we continue, can you access the internet on the affected machine now?

rlakers · 04-02-2009, 10:17 PM

No. On the Device Manager all network adapters have a yellow exclamation point. Device Status is "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

tetonbob · 04-02-2009, 10:34 PM

Ok, well, let's do what we can with the malware I do see, and see what we can do about your issues showing in devmgmt afterward. I guess the good news is, no new trash gets on the machine right now.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/361112-vundo-h-disabled-all-network-settings.html#post2059226

Driver::
ced99ec8

Collect::
c:\windows\Sfoyobubobo.dll
C:\igkrrk.exe
c:\windows\system32\drivers\ced99ec8.sys

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------
You can use the information in this link to manually update your Avira by downloading a file with the definitions, and loading it from USB stick via the Avira user interface.

http://forum.avira.com/thread.php?threadid=12073

Once you do, run a full system scan, and post the log. To open the log, click on Report once the scan is done.

tetonbob · 04-02-2009, 10:43 PM

hi rlakers -

Before you perform the instructions in post # 9, please do this, and then wait.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c Vfind -ltf "%systemdrive%\ndis.sys" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

rlakers · 04-02-2009, 11:32 PM

Too late:

I ran the ComboFix or KittyFix with your script but it would not let me run without renaming KittyFix to K1ttyf1x. I will post the log for that next. Secondly I ran the Update to Antivir.....it is now at 98.7% done but it found the following: TR/Dldr.Mufanom.B in file [4]-Submit_2009-04-02@21.49.zip, TR/Trash.Gen in igkrrk.exe.vir, Sfoyobubobo.dll.vir, A0000284.exe and in A0000285.dll. It is now asking if I want to Repair all or cancel. I will wait for your answer before I do anything. I cannot do anything else until I answer that pop-up.

tetonbob · 04-02-2009, 11:52 PM

Anything in [4]-Submit_2009-04-02@21.49.zip,

Cancel that if possible. Those are files I'd like to upload later if Avira doesn't eat them. If it does, that's ok...whatever's easier for you.

rlakers · 04-03-2009, 12:28 AM

OK I cancelled it and rebooted the computer because it froze. The combofix log is:

ComboFix 09-04-01.03 - Ernie 2009-04-02 21:49:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.311 [GMT -8:00]
Running from: c:\documents and settings\Ernie\Desktop\K1ttyF1x.exe
Command switches used :: c:\documents and settings\Ernie\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\igkrrk.exe
c:\windows\Sfoyobubobo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ced99ec8

((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.

2009-04-02 21:46 . 2009-04-02 21:47 <DIR> d-------- C:\KittyFix
2009-03-28 21:43 . 2009-03-28 21:43 <DIR> d-------- c:\documents and settings\Ernie\Application Data\CyberLink
2009-03-28 21:12 . 2009-03-28 21:13 80 --a------ c:\documents and settings\Regina\Application Data\wklnhst.dat
2009-03-28 20:58 . 2009-03-28 20:58 <DIR> d-------- c:\documents and settings\Regina\Application Data\Malwarebytes
2009-03-27 16:28 . 2009-03-27 16:28 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\Ernie\Application Data\Malwarebytes
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 16:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-27 16:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-27 16:00 . 2004-08-03 23:08 26,496 --a------ c:\windows\SYSTEM32\DLLCACHE\usbstor.sys
2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\program files\Avira
2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-26 15:33 . 2009-02-13 11:31 55,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgntflt.sys
2009-03-26 15:32 . 2009-03-26 15:32 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\program files\NOS
2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 23:48 --------- d--ha-w c:\documents and settings\All Users\Application Data\GTek
2009-03-27 23:48 --------- d--h--w c:\documents and settings\Regina\Application Data\Gtek
2009-03-27 23:48 --------- d--h--w c:\documents and settings\Ernie\Application Data\Gtek
2009-03-27 02:37 --------- d-----w c:\program files\Play65
2009-03-27 02:29 --------- d-----w c:\program files\America Online 9.0
2009-03-27 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-26 23:31 --------- d-----w c:\program files\Common Files\Adobe
2009-03-26 23:20 702 ----a-w c:\documents and settings\Ernie\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-26 108289]
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 21:59:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\NETDDE.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-04-02 22:01:14 - machine was rebooted [Ernie]
ComboFix-quarantined-files.txt 2009-04-03 06:01:12
ComboFix2.txt 2009-04-03 04:38:28

Pre-Run: 26,579,820,544 bytes free
Post-Run: 26,569,281,536 bytes free

93

The 6 detections from Antivir look like they came from the C:\Qoobox\Quarantine folder. Here is the Antivir log. Let me know if you want me to attach the zipped folder.

Avira AntiVir Personal
Report file date: Thursday, April 02, 2009 22:05

Scanning for 1337662 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : EGOLD

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 20:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:29:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:32:40
ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 21:09:26
ANTIVIR3.VDF : 7.1.3.7 34816 Bytes 4/2/2009 00:44:20
Engineversion : 8.2.0.129
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/31/2009 00:56:18
AESCRIPT.DLL : 8.1.1.70 369019 Bytes 3/26/2009 23:59:40
AESCN.DLL : 8.1.1.8 127346 Bytes 3/6/2009 02:22:54
AERDL.DLL : 8.1.1.3 438645 Bytes 11/5/2008 16:43:26
AEPACK.DLL : 8.1.3.11 397687 Bytes 3/25/2009 04:48:20
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:56:12
AEHEUR.DLL : 8.1.0.111 1679736 Bytes 3/25/2009 04:48:18
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 04:56:12
AEGEN.DLL : 8.1.1.31 340341 Bytes 3/26/2009 23:59:40
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/15/2008 19:49:36
AECORE.DLL : 8.1.6.6 176501 Bytes 2/18/2009 01:00:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 19:49:34
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 15:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 19:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 23:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, April 02, 2009 22:05

Starting search for hidden objects.
'23461' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'WSCNTFY.EXE' - '1' Module(s) have been scanned
Scan process 'WMIAPSRV.EXE' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'NETDDE.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
21 processes with 21 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '51' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@21.49.zip
[0] Archive type: ZIP
--> igkrrk.exe
[DETECTION] Is the TR/Dldr.Mufanom.B Trojan
--> Sfoyobubobo.dll
[DETECTION] Is the TR/Dldr.Mufanom.B Trojan
C:\Qoobox\Quarantine\C\igkrrk.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\Sfoyobubobo.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000284.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000285.dll
[DETECTION] Is the TR/Trash.Gen Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@21.49.zip
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\igkrrk.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\Sfoyobubobo.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000284.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000285.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!

End of the scan: Thursday, April 02, 2009 23:07
Used time: 18:19 Minute(s)

The scan has been done completely.

3099 Scanned directories
196595 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
196587 Files not concerned
8022 Archives were scanned
7 Warnings
2 Notes
23461 Objects were scanned with rootkit scan
0 Hidden objects were found

tetonbob · 04-03-2009, 12:32 AM

All those items are safe where they are for now. Once we're able to restore your internet, I'll ask you to upload the zip file to another site we use for analysis. Please don't attach it here. Thanks.

Now, the results from the instructions in post #10 will help determine the next steps.

rlakers · 04-03-2009, 12:40 AM

----a-w 182,912 2004-08-04 10:00:00 C:\I386\NDIS.SYS

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 182,912 Blocks: 358

tetonbob · 04-03-2009, 12:49 AM

Let's drop a copy of that file into C:\windows\system32\drivers

Since you're transferring data back and forth, you may want to just do this manually, by running a Windows Search for ndis.sys, right click and copy that file, then open C:\Windows\system32\drivers and select paste.

Or, we can use this batch file, which you can create and transfer

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

@echo off

copy /y C:\I386\NDIS.SYS C:\WINDOWS\System32\Drivers\ndis.sys
dir /a/s c:\Windows\ndis.sys >log.txt
notepad log.txt

del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

A notepad file will open. Post that for me.

rlakers · 04-03-2009, 01:03 AM

I took the simple approach of just copying from the I386 folder. I rebooted and now I have Internet.

tetonbob · 04-03-2009, 01:07 AM

Good deal...that takes care of that part of the issues. Still a bit more work to do...this will take some time.

Please visit this site:

http://www.bleepingcomputer.com/subm....php?channel=4
In the Link to topic where this file was requested: area, copy and paste this

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/361112-vundo-h-disabled-all-network-settings-post2059411.html#post2059411
In the Browse to the file you want to submit: area, copy and paste this

C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@21.49.zip
Then click Send File.
Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and continue with the steps below.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

tetonbob · 04-03-2009, 01:27 AM

Please also run this batch file....if you could do this before the online scan, that would be good.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

fdsv>log.txt "C:\windows\system32\drivers\ndis.sys"
notepad log.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

rlakers · 04-03-2009, 01:51 AM

FileDigitalSignVerify 1.2

Copyright (C) 2007-2008 Smallfrogs

KZTechs.COM - www.KZTechs.com

FileDigitalSignVerify is used to verify digital signatures on specified files.

Status Name of signer File Path

-----------------------------------------------------------

0x00000000 Microsoft Windows Publisher C:\windows\system32\drivers\ndis.sys

04-01-2009, 08:55 PM	#2 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings BUMP Please......!!

04-02-2009, 08:25 PM	#4 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings Lesson learned. The log I found is: ComboFix 09-03-06.02 - Ernie 2009-03-27 16:01:51.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.274 [GMT -8:00] Running from: E:\Combo-Fix.exe AV: AntiVir Desktop On-access scanning enabled (Updated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . - REDUCED FUNCTIONALITY MODE - . should I run it again now that you have the initial logs?

04-02-2009, 08:51 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,659 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo.H disabled all network settings No. What I'd like you to do is delete it, and then download a fresh copy from the link I'll give. Transfer it to the affected machine, disable protections such as AntiVirus and AntiSpyware. This fix will not work without the Windows Recovery Console installed. In addition to the ComboFix version I'll link you to, you'll need to download the Recovery Console package from the link I give you. Since you stated you don't have internet connection on the machine, this is what we have to do. If for some reason internet has been restored, do NOT allow this version of ComboFix to update itself if requested. This machine does not have the Windows XP Recovery Console installed. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Please do this: Download the version of ComboFix from this link Go to Microsoft's website => http://support.microsoft.com/kb/310994 Download this file: http://www.microsoft.com/downloads/d...displaylang=en Download the file & save it as it's originally named, next to KittyFix.exe. I see you've run Combo-Fix from a USB drive. That can work, but it would be better and easier if you transfer both files to desktop for the next step. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. If that's not possible...ensure both files are on your E drive. Run this command from Start > Run "E:\KittyFix.exe" "E:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe" Where E: is still the drive letter of your USB drive. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes. Post the log produced. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-02-2009, 09:46 PM	#6 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings ComboFix 09-04-01.03 - Ernie 2009-04-02 20:27:34.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.305 [GMT -8:00] Running from: c:\documents and settings\Ernie\Desktop\KittyFix.exe Command switches used :: c:\documents and settings\Ernie\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: AntiVir Desktop On-access scanning disabled (Outdated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_botdrv -------\Legacy_icf -------\Service_botdrv ((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 ))))))))))))))))))))))))))))))) . 2009-03-28 21:43 . 2009-03-28 21:43 <DIR> d-------- c:\documents and settings\Ernie\Application Data\CyberLink 2009-03-28 21:12 . 2009-03-28 21:13 80 --a------ c:\documents and settings\Regina\Application Data\wklnhst.dat 2009-03-28 20:58 . 2009-03-28 20:58 <DIR> d-------- c:\documents and settings\Regina\Application Data\Malwarebytes 2009-03-27 16:28 . 2009-03-27 16:28 <DIR> d-------- c:\program files\Trend Micro 2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\Ernie\Application Data\Malwarebytes 2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-27 16:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2009-03-27 16:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2009-03-27 16:00 . 2004-08-03 23:08 26,496 --a------ c:\windows\SYSTEM32\DLLCACHE\usbstor.sys 2009-03-26 18:58 . 2009-03-26 18:58 40,448 --a------ c:\windows\Sfoyobubobo.dll 2009-03-26 18:58 . 2009-03-26 18:58 40,448 --a------ C:\igkrrk.exe 2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\program files\Avira 2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-03-26 15:33 . 2009-02-13 11:31 55,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgntflt.sys 2009-03-26 15:32 . 2009-03-26 15:32 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\program files\NOS 2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-27 23:48 --------- d--ha-w c:\documents and settings\All Users\Application Data\GTek 2009-03-27 23:48 --------- d--h--w c:\documents and settings\Regina\Application Data\Gtek 2009-03-27 23:48 --------- d--h--w c:\documents and settings\Ernie\Application Data\Gtek 2009-03-27 02:37 --------- d-----w c:\program files\Play65 2009-03-27 02:29 --------- d-----w c:\program files\America Online 9.0 2009-03-27 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-26 23:31 --------- d-----w c:\program files\Common Files\Adobe 2009-03-26 23:20 702 ----a-w c:\documents and settings\Ernie\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-26 108289] S1 ced99ec8;ced99ec8;c:\windows\system32\drivers\ced99ec8.sys --> c:\windows\system32\drivers\ced99ec8.sys [?] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.aol.com/ . ************************************************************************ catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-02 20:36:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\NETDDE.EXE c:\program files\Avira\AntiVir Desktop\avguard.exe c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe c:\windows\SYSTEM32\wdfmgr.exe c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE c:\windows\SYSTEM32\WSCNTFY.EXE . ************************************************************************ . Completion time: 2009-04-02 20:38:27 - machine was rebooted [Ernie] ComboFix-quarantined-files.txt 2009-04-03 04:38:25 Pre-Run: 26,670,411,776 bytes free Post-Run: 26,610,118,656 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 106 Thank you for your quick response on this. I appreciate it very much and once again, I apologize for my jumping ahead.

04-02-2009, 09:58 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,659 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo.H disabled all network settings Hi rlakers - That looks good. There's still more work to do, but......... Before we continue, can you access the internet on the affected machine now? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-02-2009, 10:17 PM	#8 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings No. On the Device Manager all network adapters have a yellow exclamation point. Device Status is "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

04-02-2009, 10:43 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,659 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo.H disabled all network settings hi rlakers - Before you perform the instructions in post # 9, please do this, and then wait. Go Start > Run and copy/paste the following single-line command into the Run box and click OK: cmd /c Vfind -ltf "%systemdrive%\ndis.sys" >Log.txt&Log.txt&del Log.txt A Notepad file will open. Post the contents of Log.txt in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-02-2009, 11:32 PM	#11 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings Too late: I ran the ComboFix or KittyFix with your script but it would not let me run without renaming KittyFix to K1ttyf1x. I will post the log for that next. Secondly I ran the Update to Antivir.....it is now at 98.7% done but it found the following: TR/Dldr.Mufanom.B in file [4]-Submit_2009-04-02@21.49.zip, TR/Trash.Gen in igkrrk.exe.vir, Sfoyobubobo.dll.vir, A0000284.exe and in A0000285.dll. It is now asking if I want to Repair all or cancel. I will wait for your answer before I do anything. I cannot do anything else until I answer that pop-up.

04-02-2009, 11:52 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,659 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo.H disabled all network settings Anything in [4]-Submit_2009-04-02@21.49.zip, Cancel that if possible. Those are files I'd like to upload later if Avira doesn't eat them. If it does, that's ok...whatever's easier for you. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-03-2009, 12:28 AM	#13 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings OK I cancelled it and rebooted the computer because it froze. The combofix log is: ComboFix 09-04-01.03 - Ernie 2009-04-02 21:49:41.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.311 [GMT -8:00] Running from: c:\documents and settings\Ernie\Desktop\K1ttyF1x.exe Command switches used :: c:\documents and settings\Ernie\Desktop\CFScript.txt.txt AV: AntiVir Desktop On-access scanning disabled (Outdated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\igkrrk.exe c:\windows\Sfoyobubobo.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ced99ec8 ((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 ))))))))))))))))))))))))))))))) . 2009-04-02 21:46 . 2009-04-02 21:47 <DIR> d-------- C:\KittyFix 2009-03-28 21:43 . 2009-03-28 21:43 <DIR> d-------- c:\documents and settings\Ernie\Application Data\CyberLink 2009-03-28 21:12 . 2009-03-28 21:13 80 --a------ c:\documents and settings\Regina\Application Data\wklnhst.dat 2009-03-28 20:58 . 2009-03-28 20:58 <DIR> d-------- c:\documents and settings\Regina\Application Data\Malwarebytes 2009-03-27 16:28 . 2009-03-27 16:28 <DIR> d-------- c:\program files\Trend Micro 2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\Ernie\Application Data\Malwarebytes 2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-27 16:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2009-03-27 16:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2009-03-27 16:00 . 2004-08-03 23:08 26,496 --a------ c:\windows\SYSTEM32\DLLCACHE\usbstor.sys 2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\program files\Avira 2009-03-26 15:33 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-03-26 15:33 . 2009-02-13 11:31 55,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgntflt.sys 2009-03-26 15:32 . 2009-03-26 15:32 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\program files\NOS 2009-03-26 15:25 . 2009-03-26 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-27 23:48 --------- d--ha-w c:\documents and settings\All Users\Application Data\GTek 2009-03-27 23:48 --------- d--h--w c:\documents and settings\Regina\Application Data\Gtek 2009-03-27 23:48 --------- d--h--w c:\documents and settings\Ernie\Application Data\Gtek 2009-03-27 02:37 --------- d-----w c:\program files\Play65 2009-03-27 02:29 --------- d-----w c:\program files\America Online 9.0 2009-03-27 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-26 23:31 --------- d-----w c:\program files\Common Files\Adobe 2009-03-26 23:20 702 ----a-w c:\documents and settings\Ernie\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-26 108289] . ************************************************************************ catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-02 21:59:05 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\NETDDE.EXE c:\program files\Avira\AntiVir Desktop\avguard.exe c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe c:\windows\SYSTEM32\wdfmgr.exe c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE c:\windows\SYSTEM32\WSCNTFY.EXE . ************************************************************************ . Completion time: 2009-04-02 22:01:14 - machine was rebooted [Ernie] ComboFix-quarantined-files.txt 2009-04-03 06:01:12 ComboFix2.txt 2009-04-03 04:38:28 Pre-Run: 26,579,820,544 bytes free Post-Run: 26,569,281,536 bytes free 93 The 6 detections from Antivir look like they came from the C:\Qoobox\Quarantine folder. Here is the Antivir log. Let me know if you want me to attach the zipped folder. Avira AntiVir Personal Report file date: Thursday, April 02, 2009 22:05 Scanning for 1337662 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 2) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : EGOLD Version information: BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00 AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 20:13:26 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:29:38 ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:32:40 ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 21:09:26 ANTIVIR3.VDF : 7.1.3.7 34816 Bytes 4/2/2009 00:44:20 Engineversion : 8.2.0.129 AEVDF.DLL : 8.1.1.0 106868 Bytes 1/31/2009 00:56:18 AESCRIPT.DLL : 8.1.1.70 369019 Bytes 3/26/2009 23:59:40 AESCN.DLL : 8.1.1.8 127346 Bytes 3/6/2009 02:22:54 AERDL.DLL : 8.1.1.3 438645 Bytes 11/5/2008 16:43:26 AEPACK.DLL : 8.1.3.11 397687 Bytes 3/25/2009 04:48:20 AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:56:12 AEHEUR.DLL : 8.1.0.111 1679736 Bytes 3/25/2009 04:48:18 AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 04:56:12 AEGEN.DLL : 8.1.1.31 340341 Bytes 3/26/2009 23:59:40 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/15/2008 19:49:36 AECORE.DLL : 8.1.6.6 176501 Bytes 2/18/2009 01:00:12 AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 19:49:34 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09 AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 15:52:24 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10 RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 19:45:45 RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 23:55:12 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Thursday, April 02, 2009 22:05 Starting search for hidden objects. '23461' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned Scan process 'WSCNTFY.EXE' - '1' Module(s) have been scanned Scan process 'WMIAPSRV.EXE' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'igfxpers.exe' - '1' Module(s) have been scanned Scan process 'hkcmd.exe' - '1' Module(s) have been scanned Scan process 'NETDDE.EXE' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'LSASS.EXE' - '1' Module(s) have been scanned Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned Scan process 'SMSS.EXE' - '1' Module(s) have been scanned 21 processes with 21 modules were scanned Starting master boot sector scan: Start scanning boot sectors: Starting to scan executable files (registry). The registry was scanned ( '51' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@21.49.zip [0] Archive type: ZIP --> igkrrk.exe [DETECTION] Is the TR/Dldr.Mufanom.B Trojan --> Sfoyobubobo.dll [DETECTION] Is the TR/Dldr.Mufanom.B Trojan C:\Qoobox\Quarantine\C\igkrrk.exe.vir [DETECTION] Is the TR/Trash.Gen Trojan C:\Qoobox\Quarantine\C\WINDOWS\Sfoyobubobo.dll.vir [DETECTION] Is the TR/Trash.Gen Trojan C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000284.exe [DETECTION] Is the TR/Trash.Gen Trojan C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000285.dll [DETECTION] Is the TR/Trash.Gen Trojan Beginning disinfection: C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@21.49.zip [WARNING] The file was ignored! C:\Qoobox\Quarantine\C\igkrrk.exe.vir [DETECTION] Is the TR/Trash.Gen Trojan [WARNING] The file was ignored! C:\Qoobox\Quarantine\C\WINDOWS\Sfoyobubobo.dll.vir [DETECTION] Is the TR/Trash.Gen Trojan [WARNING] The file was ignored! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000284.exe [DETECTION] Is the TR/Trash.Gen Trojan [WARNING] The file was ignored! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000285.dll [DETECTION] Is the TR/Trash.Gen Trojan [WARNING] The file was ignored! End of the scan: Thursday, April 02, 2009 23:07 Used time: 18:19 Minute(s) The scan has been done completely. 3099 Scanned directories 196595 Files were scanned 6 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 2 Files cannot be scanned 196587 Files not concerned 8022 Archives were scanned 7 Warnings 2 Notes 23461 Objects were scanned with rootkit scan 0 Hidden objects were found

04-03-2009, 12:32 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,659 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo.H disabled all network settings All those items are safe where they are for now. Once we're able to restore your internet, I'll ask you to upload the zip file to another site we use for analysis. Please don't attach it here. Thanks. Now, the results from the instructions in post #10 will help determine the next steps. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-03-2009, 12:40 AM	#15 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings ----a-w 182,912 2004-08-04 10:00:00 C:\I386\NDIS.SYS Entries: 1 (1) Directories: 0 Files: 1 Bytes: 182,912 Blocks: 358

04-03-2009, 01:03 AM	#17 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings I took the simple approach of just copying from the I386 folder. I rebooted and now I have Internet.

04-03-2009, 01:51 AM	#20 (permalink)
rlakers Registered User Join Date: Mar 2009 Posts: 32 OS: XP SP3, Vista SP1	Re: Vundo.H disabled all network settings FileDigitalSignVerify 1.2 Copyright (C) 2007-2008 Smallfrogs KZTechs.COM - www.KZTechs.com FileDigitalSignVerify is used to verify digital signatures on specified files. Status Name of signer File Path ----------------------------------------------------------- 0x00000000 Microsoft Windows Publisher C:\windows\system32\drivers\ndis.sys