Status
Not open for further replies.
1 - 8 of 8 Posts

#### suffolk

·
##### Registered
Joined
·
4 Posts
Discussion Starter
I have the vundo virus and I've tried fixing it with the suggestions of others online, but I get lost when it comes to all the register stuff and the kilbot and stuff like that. I've run the removal tool in both regular and safe mode and it did nothing.

Can anyone help?

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
Download HiJackThis - this program will help us determine if there are any spyware/malware on your computer.
1. Double-click on the file you just downloaded.
2. Click on the "Unzip" button to install the newer version.
3. It will by default install to the directory - C:\Program Files\HiJackThis\
4. If it gives you an intro screen, just choose - Do a system scan and save a logfile.
5. If you don't get the intro screen, just hit [Scan] and then click on Save log.
6. Post the HiJackThis.log file here.

#### suffolk

·
##### Registered
Joined
·
4 Posts
Discussion Starter
Vundo

Ok here is the logfile. I have no idea what to do next. I'm really sorry I'm so naive about all this.

Logfile of HijackThis v1.99.1
Scan saved at 4:33:15 PM, on 10/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\inf\cbak.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijackthis_sfx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lib.berkeley.edu:7777/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\kabc.dat
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\3pmlru.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\vrslru.dat
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [*dosexp] C:\WINDOWS\Config\dosexp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [*comeula] C:\WINDOWS\comeula.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [*runav] C:\WINDOWS\msagent\chars\runav.exe
O4 - HKLM\..\Run: [*expcr] C:\WINDOWS\msagent\expcr.exe
O4 - HKLM\..\Run: [*dnsole] C:\WINDOWS\ServicePackFiles\dnsole.exe
O4 - HKLM\..\Run: [*asnet] C:\WINDOWS\Fonts\asnet.exe
O4 - HKLM\..\Run: [*pseula] C:\WINDOWS\msagent\chars\pseula.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [*tapiodbc] C:\WINDOWS\Tasks\tapiodbc.exe
O4 - HKLM\..\Run: [*javanut] C:\WINDOWS\Driver Cache\javanut.exe
O4 - HKLM\..\Run: [*imgwin] C:\WINDOWS\AppPatch\imgwin.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\inf\acvga.exe
O4 - HKLM\..\Run: [*cmdimg] C:\WINDOWS\addins\cmdimg.exe
O4 - HKLM\..\Run: [*mp3exp] C:\WINDOWS\Cursors\mp3exp.exe
O4 - HKLM\..\Run: [*avfax] C:\WINDOWS\system\avfax.exe
O4 - HKLM\..\Run: [*runvb] C:\WINDOWS\Registration\runvb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [*cbak] C:\WINDOWS\inf\cbak.exe rerun
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0642e5bee8eb0ff6a106/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128096319203
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.berkeley.edu/webcams/camera.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD01DDA-E4E0-45A2-8F46-072135641A46}: NameServer = 151.164.1.8,206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FD01DDA-E4E0-45A2-8F46-072135641A46}: NameServer = 151.164.1.8,206.13.28.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{0FD01DDA-E4E0-45A2-8F46-072135641A46}: NameServer = 151.164.1.8,206.13.28.12
O20 - Winlogon Notify: cbak - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\kabc.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please download the following programs/files: (do not run them until you're instructed to do so)

CleanUp.exe - Install

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

Then, download the attachment I have placed in this post - hjtrun.zip
From within it, double-click on hjtrun.bat

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
• ViewPoint

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Restart your computer.
Hijackthis will open before the desktop loads, scan and fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\kabc.dat
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\3pmlru.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\vrslru.dat
O4 - HKLM\..\Run: [*dosexp] C:\WINDOWS\Config\dosexp.exe
O4 - HKLM\..\Run: [*comeula] C:\WINDOWS\comeula.exe
O4 - HKLM\..\Run: [*runav] C:\WINDOWS\msagent\chars\runav.exe
O4 - HKLM\..\Run: [*expcr] C:\WINDOWS\msagent\expcr.exe
O4 - HKLM\..\Run: [*dnsole] C:\WINDOWS\ServicePackFiles\dnsole.exe
O4 - HKLM\..\Run: [*asnet] C:\WINDOWS\Fonts\asnet.exe
O4 - HKLM\..\Run: [*pseula] C:\WINDOWS\msagent\chars\pseula.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [*tapiodbc] C:\WINDOWS\Tasks\tapiodbc.exe
O4 - HKLM\..\Run: [*javanut] C:\WINDOWS\Driver Cache\javanut.exe
O4 - HKLM\..\Run: [*imgwin] C:\WINDOWS\AppPatch\imgwin.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\inf\acvga.exe
O4 - HKLM\..\Run: [*cmdimg] C:\WINDOWS\addins\cmdimg.exe
O4 - HKLM\..\Run: [*mp3exp] C:\WINDOWS\Cursors\mp3exp.exe
O4 - HKLM\..\Run: [*avfax] C:\WINDOWS\system\avfax.exe
O4 - HKLM\..\Run: [*runvb] C:\WINDOWS\Registration\runvb.exe
O4 - HKLM\..\RunOnce: [*cbak] C:\WINDOWS\inf\cbak.exe rerun
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0642e5bee8eb0f...ip/RdxIE601.cab
20 - Winlogon Notify: cbak - C:\DOCUME~1\MRCC6E~1.SHA\LOCALS~1\Temp\kabc.dat

Then close HJT & windows will continue to load your Desktop.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
• C:\Program Files\Viewpoint\
Locate and delete the following files:
• C:\WINDOWS\Config\dosexp.exe
C:\WINDOWS\comeula.exe
C:\WINDOWS\msagent\chars\runav.exe
C:\WINDOWS\msagent\expcr.exe
C:\WINDOWS\ServicePackFiles\dnsole.exe
C:\WINDOWS\Fonts\asnet.exe
C:\WINDOWS\msagent\chars\pseula.exe
C:\WINDOWS\Tasks\tapiodbc.exe
C:\WINDOWS\Driver Cache\javanut.exe
C:\WINDOWS\AppPatch\imgwin.exe
C:\WINDOWS\inf\acvga.exe
C:\WINDOWS\addins\cmdimg.exe
C:\WINDOWS\Cursors\mp3exp.exe
C:\WINDOWS\system\avfax.exe
C:\WINDOWS\Registration\runvb.exe
C:\WINDOWS\inf\cbak.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
• Delete Newsgroup cache
[*]Delete Newsgroup Subscriptions
[*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Perform an online scan with Internet Explorer with Panda ActiveScan
1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"
After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:
1. HiJackThis
[*] Online scan
[*] Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#### suffolk

·
##### Registered
Joined
·
4 Posts
Discussion Starter
Ok, so just a few problems with one step. On the part where I am to delete any of the files that I find (after having deleted c:\Program Files\Viewpoint) I was only able to find one of the files that you listed, however, there were files that look to be the ones you're talking about but that have mixed of the letters. Sometimes spelling them backwards and other times just rearanging the letters. Just to be extra clear I will put an (N/A) next to ones I couldn't find at all; a (deleted) if I found the one you mentioned and was able to delete it; and ("a different file name") of the ones I think look suspcious. I ask b/c I've read that sometimes this is common to re-spell the names and b/c only one of the files you mentioned did I find to end in .exe, most were bak (which is the ending I find when the NAV tells me it has found vundo. Ok, here we go. P.s. I'm not actually on the internet on my infected computer. I'm using a different one at the moment. Thanks again.

C:\WINDOWS\Config\dosexp.exe (N/A)
C:\WINDOWS\comeula.exe (N/A)
C:\WINDOWS\msagent\chars\runav.exe (N/A)
C:\WINDOWS\msagent\expcr.exe (N/A)
C:\WINDOWS\ServicePackFiles\dnsole.exe (elosnd.bak2)
C:\WINDOWS\Fonts\asnet.exe (N/A)
C:\WINDOWS\msagent\chars\pseula.exe (aluesp.bak2)
C:\WINDOWS\Tasks\tapiodbc.exe (N/A)
C:\WINDOWS\Driver Cache\javanut.exe (tunavaj.bak2)
C:\WINDOWS\AppPatch\imgwin.exe (nimgmi.bak2)
C:\WINDOWS\inf\acvga.exe (agvca.bak2) [also found: kabc.tmp, kabc.ini, kabc.bak1, kabc.bak2]
C:\WINDOWS\addins\cmdimg.exe (gmidmc.bak2)
C:\WINDOWS\Cursors\mp3exp.exe (N/A)
C:\WINDOWS\system\avfax.exe (xafva.bak2) [also found: nurlru.bak2]
C:\WINDOWS\Registration\runvb.exe (deleted)
C:\WINDOWS\inf\cbak.exe

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
Good work on noticing the names spelled in reverse. Those are Vundo files. You may delete them without worry.

Connect to the internet & allow Panda to find/disinfect any file not found by us. We have just removed it's protection & that leaves it vulnerable to the online scanners.

#### suffolk

·
##### Registered
Joined
·
4 Posts
Discussion Starter
Alright,

well,I was going through the steps. Everything went smoothly through the point of logging off after the CleanUp!. I get back on and things seem to run really quick, smooth, and the NAV window telling me I have the vundo does not show up anymore. Then, however, I try to do the Panda ActiveScan and I get past the point of clicking on My Computer, and when it starts the scan it always gets stuck at C:\windows\system32\HPzidr12.dll After this point it will not going any further, and the entire computer slows down slower than before I started any of the fix. Don't know what to say.

#### sUBs

·
##### TSF Security Team, Emeritus
Joined
·
26,363 Posts
Panda although effective can sometimes be a PITA. Try Kaspersky WebScanner instead

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste that information in your next post.

1 - 8 of 8 Posts
Status
Not open for further replies.