Vundo Trojan(RESOLVED)

viruzxp · #1 (**permalink**) 20-05-2008, 02:51 PM

Hi,

recently, my avast antivirus has found a few files which believes to be a Vundo trojan. Even after putting them into the chest and deleting them, I am still worried that the trojan might still be around. In addition, my antivirus always detected the trojan in my system32 folder. Is there a way to get it out???

Im using the Avast home edition as my main antivirus. Thanks in advance.

Here are the log of the hijack this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:15 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\GhostWall\ghostwall.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\ljJYPhET.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: ljJYPhET - C:\WINDOWS\SYSTEM32\ljJYPhET.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6000 bytes

penguinpaul · #2 (**permalink**) 20-05-2008, 04:31 PM

Avast is a very good av, however, the Vundo Trojan is quite hard to get rid of.. I would reccomend you try using an online scanner, like Trend Micro's Housecall.
Do you find that having a virus gives you a horrible feeling in your stomache???? or is it just me.....

viruzxp · #3 (**permalink**) 20-05-2008, 04:50 PM

Avast is okay, I wont say that it's any good, because of its habit of showing false positive sometimes and giving me headache.

Anyway, a solution from the admin would be greatly appreciated...

Neal · #4 (**permalink**) 21-05-2008, 10:06 PM

This below should unload Vundo for you:

Please download and install SUPERAntiSpyware Trial Pro Edition http://www.superantispyware.com/superantispyware.html

* Load SUPERAntiSpyware and click the Check for Updates button.
* Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

* Open SUPERAntiSpyware and click the Scan your Computer button.
* Check Perform Complete Scan and then click Next.
* SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
* Make sure that they all have a check next to them, and then click Next.
* Click Finish and you will be taken back to the main interface.
* It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
* I'll need a log afterwards of what has been found.
* To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
* Please post the results of the SUPERAntiSpyware log in your next reply.

New hijackthis log please

viruzxp · #5 (**permalink**) 22-05-2008, 03:13 AM

okay, did everything you told me.

here's the log from the superantispyware.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/22/2008 at 09:02 AM

Application Version : 4.1.1046

Core Rules Database Version : 3465
Trace Rules Database Version: 1456

Scan type : Complete Scan
Total Scan Time : 03:02:42

Memory items scanned : 465
Memory threats detected : 1
Registry items scanned : 5793
Registry threats detected : 6
File items scanned : 16488
File threats detected : 5

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\LJJYPHET.DLL
C:\WINDOWS\SYSTEM32\LJJYPHET.DLL

Trojan.Vundo-Variant/Small
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}
HKCR\CLSID\{522E0112-EDD9-413D-A99E-C311A54B6676}
HKCR\CLSID\{522E0112-EDD9-413D-A99E-C311A54B6676}\InprocServer32
HKCR\CLSID\{522E0112-EDD9-413D-A99E-C311A54B6676}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks#{522E0112-EDD9-413D-A99E-C311A54B6676}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ljJYPhET
C:\WINDOWS\SYSTEM32\AWTSRKLC.DLL

Adware.Tracking Cookie
C:\Documents and Settings\VIRUZXP\Cookies\viruzxp@serving-sys[2].txt
C:\Documents and Settings\VIRUZXP\Cookies\viruzxp@bs.serving-sys[2].txt
C:\Documents and Settings\VIRUZXP\Cookies\viruzxp@82.98.235[1].txt
.tribalfusion.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.tribalfusion.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.tribalfusion.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.tribalfusion.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.atdmt.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.specificclick.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.specificclick.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.specificclick.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.specificclick.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.kontera.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.kontera.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
tracking.foundry42.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
tracking.foundry42.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.pro-market.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.geosign.112.2o7.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.pro-market.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.pro-market.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
counter.surfcounters.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.statcounter.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.statcounter.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
adserver.gamesync.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
www.w3counter.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.imrworldwide.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.imrworldwide.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
streamit.hardwarezone.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
w00tpublishers.wootmedia.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.yadro.ru [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.yadro.ru [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.rambler.ru [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.multiply.112.2o7.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.adtech.de [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.mediaplex.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.inl.adbureau.net [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.serving-sys.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.serving-sys.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.serving-sys.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.serving-sys.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.serving-sys.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]
.serving-sys.com [ C:\Documents and Settings\VIRUZXP\Application Data\Mozilla\Firefox\Profiles\hgvvrxk9.default\coo kies.txt ]

and my latest hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:22 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\GhostWall\ghostwall.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper Class - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7964 bytes

if there's anything i need to do after that, do tell me. Thanks.

Neal · #6 (**permalink**) 22-05-2008, 09:34 PM

How is your computer behaving now?

Super antispyware seems to of nailed the Vundo Trojan!!

viruzxp · #7 (**permalink**) 23-05-2008, 05:58 AM

yup, it's doing fine now. thank you so much. I'm think, I'm gonna buy a copy of superantispyware.

Neal · #8 (**permalink**) 23-05-2008, 08:20 PM

It is a very fine program.

If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. Also keep SpybotS&D updated.

Read This First - IMPORTANT Instructions

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: http://vil.nai.com/vil/SystemHelpDoc...ysRestore.aspx

Explained Here
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Please download ATF Cleaner by Atribune to desktop.
http://www.atribune.org/public-beta/ATF-Cleaner.exe

Double-click ATF-Cleaner.exe to run the program, to clean junk files off your PC.

If you would like to keep your cookies don't check that item

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html

3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Windows Defender

http://www.microsoft.com/athome/secu...e/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio

Sunbelt

Comodo Personal Firewall:

Comodo

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

http://www.javacoolsoftware.com/spywareblaster.html

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)