You may cancel your Bitdefender subscription from Bitdefender Central or by contacting Customer Support at: https://www.bitdefender.com/consumer/support/help/
Thank you for your understanding.
Trojan.dropper.vundo.d
Hi!
I'm having a problem removing Trojan.Dropper.Vundo virus from my computer. I tried searching other people's postings but I'm having trouble following so I figured I'd start my own. I'm a good computer "user" but I'm terrible at the real technical stuff.
Here is the log from my scan. I was able to take care of everything (archived items) except this Vundo thing.
Any help would be greatly appreciated!!
Thank You!!
Tara
BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 07:52:02 04/02/2008
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1202129522_1_02.xml
Scan Paths:Path0000: C:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target selection options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target ProcessingDefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Scan engines summaryNumber of virus signatures : 978817
Archive plugins : 41
Email plugins : 6
Scan plugins : 12
Archive plugins : 41
System plugins : 4
Unpack plugins : 7
Overall scan summaryScanned items : 214790
Infected items : 20
Suspicious items : 0
Resolved items : 14
Individual viruses found : 12
Scanned directories : 7013
Scanned boot sectors : 2
Scanned archives : 3846
Input-output errors : 26
Scan time : 00:09:49:50
Files per second : 6
Scanned processes summaryScanned : 32
Infected : 0
Scanned registry keys summaryScanned : 315
Infected : 0
Scanned cookies summaryScanned : 1
Infected : 0
Remaining issues:Object Name Threat Name Final Status
C:\Documents and Settings\Tara\Local Settings\Temp\D12C4.tmp=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)
C:\Documents and Settings\Tara\Local Settings\Temp\D1B.tmp=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)
C:\Documents and Settings\Tara\Local Settings\Temp\D26D2.tmp=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)
C:\WINDOWS\system3200050.exe=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)
[system]=]HKEY_USERS\S-1-5-21-602162358-448539723-839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Dnec=]C:\PROGRA~1\FNTS~1\DLLHOST.EXE Trojan.Dropper.Vundo.D No action was possible
[system] Trojan.Dropper.Vundo.D No action was possible
Resolved issues:Object Name Threat Name Final Status
C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\Q7GNMDC7\CA6V49EN.htm Adware.SystemErrorFixer.A Deleted
C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\Q7GNMDC7\clean[1].htm Adware.SystemErrorFixer.A Deleted
C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\4V2GZ69K\popup[1].htm Trojan.Clicker.CM Deleted
C:\Program Files\Fоnts\dllhost .exe Trojan.Dropper.Vundo.D Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP22\A0000783.exe Trojan.Dropper.Vundo.D Deleted
C:\Documents and Settings\Tara\Local Settings\Temp\rmjbviix.exe Trojan.Fotomoto.H Deleted
C:\Documents and Settings\Tara\Local Settings\Temp\akpdgmhf.dll Trojan.Vundo.DVC Deleted
C:\Documents and Settings\Tara\Local Settings\Temp\ayukeyvx.dll Trojan.Vundo.DVC Deleted
C:\Documents and Settings\Tara\Local Settings\Temp\yyrhiaex.dll Trojan.Vundo.DWB Deleted
C:\WINDOWS\system32\pcadkveo.dll Trojan.Vundo.DXB Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP22\A0000780.dll Trojan.Vundo.DXS Deleted
C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\AP076DC1\ptch[1] Trojan.Vundo.DXU Deleted
C:\WINDOWS\system32\mirelgyv.dll Trojan.Vundo.DXU Deleted
C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\4V2GZ69K\hctp[1] Trojan.Vundo.DXV Deleted
Comments
-
Hello!
From what I see in the log file, the malware file was deleted by BitDefender but the registry key remained. What you should try to do is open Registry Editor (Start/Run, type regedit.exe and hit Enter
) then navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, locate the "Dnec" value and delete it.0 -
Thank You!
I followed the instructions but when I navigated to the "run" folder, there were only two items in the folder and neither showed "dnec value."
Here is a screen shot...
/applications/core/interface/file/attachment.php?id=1436" data-fileid="1436" rel="">Doc1.doc0 -
Hi,
The malware is indeed removed, but there are some leftovers in the archives in the user TEMP folder.
You can try this to empty the folder:
1. Update BitDefender.
2. Reboot. then go to start-run- type %temp% in the run box-OK- in right panel highlight one of the files or folders, Ctrl+A to select all (it selects the hidden ones also), then Shift+Del to delete bypassing recycle bin. You have to this fast before some program starts updating. Otherwise you have to unhide the files and folders (start-control panel- folder options-view-check show hidden files and folders) and then remove files and folders that are not in use.0 -
Hi,
I followed the above instructions but there was one file that I was unable to delete because it said it was in use by another program, but I couldn't find anything that was running it.
I did another scan with Bitdefender and here is the log. I also wanted to mention another problem I've been having (although I assume its probably related to this virus), any website I go to that has advertisements along the sides automatically switch to an add that says something like, my system is infected, perform a free scan... or something like that. There are a few variations but you can tell its not a legitimate error message, its some type of an ad. It causes the web page I'm on to constantly "load."
Thanks for the help! Its greatly appreciated!!
BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 00:09:14 07/02/2008
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1202360954_1_02.xml
Scan Paths:Path0000: C:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target selection options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target ProcessingDefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Scan engines summaryNumber of virus signatures : 979497
Archive plugins : 41
Email plugins : 6
Scan plugins : 12
Archive plugins : 41
System plugins : 4
Unpack plugins : 7
Overall scan summaryScanned items : 179802
Infected items : 22
Suspicious items : 0
Resolved items : 20
Individual viruses found : 7
Scanned directories : 6714
Scanned boot sectors : 2
Scanned archives : 3579
Input-output errors : 27
Scan time : 00:01:14:25
Files per second : 40
Scanned processes summaryScanned : 32
Infected : 0
Scanned registry keys summaryScanned : 315
Infected : 0
Scanned cookies summaryScanned : 1
Infected : 0
Remaining issues:Object Name Threat Name Final Status
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP26\A0001068.exe=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)
[system]=]HKEY_USERS\S-1-5-21-602162358-448539723-839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Dnec=]C:\PROGRA~1\FNTS~1\DLLHOST.EXE Trojan.Dropper.Vundo.D No action was possible
Resolved issues:Object Name Threat Name Final Status
C:\Program Files\Fоnts\dllhost.exe Trojan.Dropper.Vundo.D Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001030.exe Trojan.Dropper.Vundo.D Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001034.exe Trojan.Dropper.Vundo.D Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP26\A0001056.exe Trojan.Dropper.Vundo.D Deleted
C:\WINDOWS\system32\gebyv.exe Trojan.Dropper.Vundo.D Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0000972.dll Trojan.Vundo.DXZ Deleted
C:\WINDOWS\system32\mukhnhbe.dll Trojan.Vundo.DYE Deleted
C:\WINDOWS\system32\tcpisdcj.dll Trojan.Vundo.DYE Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001012.dll Trojan.Vundo.DYI Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP20\A0000684.dll Trojan.Vundo.Gen.2 Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP20\A0000688.dll Trojan.Vundo.Gen.2 Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0000995.dll Trojan.Vundo.Gen.2 Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001026.dll Trojan.Vundo.Gen.2 Deleted
C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP6\A0000131.dll Trojan.Vundo.Gen.2 Deleted
C:\WINDOWS\system32\htftvcfc.dll Trojan.Vundo.Gen.2 Deleted
C:\WINDOWS\system32\kivcityr.dll Trojan.Vundo.Gen.2 Deleted
C:\WINDOWS\system32\lckulvtd.dll Trojan.Vundo.Gen.2 Deleted
C:\WINDOWS\system32\oqbtjacn.dll Trojan.Vundo.Gen.2 Deleted
C:\WINDOWS\system32\rcpaegqs.dll Trojan.Vundo.Gen.2 Deleted
C:\WINDOWS\system32\tcbjxthk.dll Trojan.Vundo.Gen.2 Deleted0 -
Hi,
It seems you have a rouge product and a vundo infection, the Bitdefender removes the infection partly but it comes back again. I suggest you do the following:
Step 1.
Use one of these links to download the latest version of Smitfraudfix and save it to your desktop:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
http://siri.geekstogo.com/SmitfraudFix.exe
Reboot your computer in Safe Mode (restart, before the Windows icon appears, tap the F8 key continually, and choose safe).
Double-click smitfraudfix.exe- Select 2 and hit Enter to delete infect files.
- You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
- A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
You can download a Trend Micro Hijackthis installer from here:
http://www.trendsecure.com/portal/en-US/to...ckthis/download
Install it, run it and click Do a system scan and save a logfile.
Please post the content of the logfile and the Smitfraud log into your next reply.0 -
I cannot thank you enough for your help!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:48 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\?ymbols\?hkdsk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: iGamebar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD34} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [bMfb5a589f] Rundll32.exe "C:\WINDOWS\system32\mpjxvcpl.dll",s
O4 - HKCU\..\Run: [Cgdsn] "C:\Program Files\Common Files\?ymbols\?hkdsk.exe"
O4 - HKCU\..\Run: [Dnec] "C:\PROGRA~1\FNTS~1\dllhost.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 4972 bytes
SmitFraudFix v2.281
Scan done at 21:52:26.90, Thu 02/07/2008
Run from C:\Documents and Settings\Tara\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix.exe by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2E65142F-00F9-4322-B566-7E9CABC1031C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{455F4BE7-04A5-478F-91A1-9FA0ABD29EEF}: DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3FB704D-7132-4862-AE95-26D46021871B}: DhcpNameServer=71.250.0.12 71.242.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2E65142F-00F9-4322-B566-7E9CABC1031C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{455F4BE7-04A5-478F-91A1-9FA0ABD29EEF}: DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B3FB704D-7132-4862-AE95-26D46021871B}: DhcpNameServer=71.250.0.12 71.242.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2E65142F-00F9-4322-B566-7E9CABC1031C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{455F4BE7-04A5-478F-91A1-9FA0ABD29EEF}: DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3FB704D-7132-4862-AE95-26D46021871B}: DhcpNameServer=71.250.0.12 71.242.0.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End0 -
I suggest the following:
Step1.- Download ComboFix.exe to your desktop using this link:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
- Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post. If combofix.txt contains a long list of deleted pos*.tmp files remove all but a few pos.tmp from the log (leave a few from each directory so that I kan see where they were created) and then copy and paste the log. - ComboFix may need to reboot to finish its work. Let it.
- Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
Combofix should not take more than 20 minutes if malware is detected.If it does, open task-manager (press ctrl+alt+del) select and end any processes of findstr.exe, find.exe, send.exe or swreg.exe, then combofix should continue.
Make and post a fresh HJT log too.0 -
Thank you again!!
ComboFix 08-02.05.3 - Tara 2008-02-09 11:59:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.301 [GMT -5:00]
Running from: C:\Documents and Settings\Tara\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15, on 2008-02-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {178CC096-4EF6-4975-9216-13BBFEE504B8} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: {cde6449a-da87-d269-1454-88370f453535} - {535354f0-7388-4541-962d-78ada9446edc} - C:\WINDOWS\system32\admkmbgs.dll (file missing)
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD34} - (no file)
O4 - HKCU\..\Run: [Cgdsn] "C:\Program Files\Common Files\?ymbols\?hkdsk.exe"
O4 - HKCU\..\Run: [Dnec] "C:\PROGRA~1\FNTS~1\dllhost.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: mdwmui - mdwmui.dll (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 4974 bytes0
