For the Life of Me I Cannot Get Rid of VUNDO, Trojan Downloader -Crew

brunester · #1 30th Apr 2009, 18:53

Hi yall,
So im trying to clean up a computer for a friend of a friend.

Shes a disabled mother of two, so I would really like to get this fixed for her.

I used:
CCleaner,
MalwareBytes,
SUPERAntispyware,
Avast Anti-Virus,
in that order and between the three of them most of the infections are clean.
However there are some that cannot be deleted.

Specifically:
(according to MalwareBytes)
TROJAN.VUNDO.H

(according to SUPER)
trojan downloader-crew
vundo variant- ms fake
vundo variant- joke

So I then ran:
VundoFix
VirtumundoBeGone

Vudo Fix detected Vundo but couldn't delete.

So I then Ran:
AutoRuns
HjackThis.
My idea was to track down was was spawning the files and disable it so they could be deleted. In AutoRuns I found some Browser Helper Objects that we related to the virus and I disabled them. I also found allot of Scheduled tasks (at1,at2, etc)
so between the 2 programs I tried to block It from spawning but it didn't work and its still there.

So after all that I Ran:
ComboFix,
ComboFix ran and was not able to delete the files.

If any of yall could help me out I would be very thankfull.

Thank You,
-Eric
P.S. I have attached all the logs.

HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:08 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - spyware - (no file)
O2 - BHO: (no name) - {0F7CB31F-19B1-494C-9CC1-1DF899B93474} - c:\windows\system32\dvmhvam.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1225305749593
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

--
End of file - 5375 bytes

MALWAREBYTES
Malwarebytes' Anti-Malware 1.36
Database version: 2056
Windows 5.1.2600 Service Pack 3

4/30/2009 5:46:47 PM
mbam-log-2009-04-30 (17-46-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 158646
Time elapsed: 50 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{0f7cb31f-19b1-494c-9cc1-1df899b93474} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0f7cb31f-19b1-494c-9cc1-1df899b93474} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\dvmhvam.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ovfsthxdrvensks.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthxcvssvqpe.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ovfsthxvyplciei.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthxxtmafkod.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ovfsthxewvbnobf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthxlkuhmsjc.dat (Trojan.Agent) -> Quarantined and deleted successfully.

SUPER ANTISPYWARRE
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2009 at 06:12 PM

Application Version : 4.26.1000

Core Rules Database Version : 3869
Trace Rules Database Version: 1817

Scan type : Complete Scan
Total Scan Time : 00:22:39

Memory items scanned : 375
Memory threats detected : 0
Registry items scanned : 4897
Registry threats detected : 0
File items scanned : 20841
File threats detected : 4

Trojan.Downloader-CREW
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090430-161242-470.DLL
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090430-161242-691.DLL
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090430-161242-931.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\ORZAURIU.DLL

COMBOFIX

ComboFix 09-04-30.05 - Cindy Robinson 04/30/2009 16:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.833 [GMT -7:00]
Running from: c:\documents and settings\Cindy Robinson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cindy Robinson\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\loader49.exe
c:\windows\system32\uniq.tll
c:\windows\Tasks\At1.job
c:\windows\system32\dvmhvam.dll . . . . failed to delete
c:\windows\system32\orzauriu.dll . . . . failed to delete

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LIZHXIYW
-------\Legacy_SFC
-------\Service_lizhxiyw
-------\Service_sfc

((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 )))))))))))))))))))))))))))))))
.

2009-04-30 23:10 . 2009-04-30 23:10 -------- d-----w c:\program files\Trend Micro
2009-04-30 21:52 . 2009-04-30 21:52 24576 ----a-w c:\windows\system32\VundoFixSVC.exe
2009-04-30 03:26 . 2009-04-30 21:51 -------- d-----w C:\VundoFix Backups
2009-04-30 01:11 . 2009-04-30 01:11 -------- d-----w c:\program files\CCleaner
2009-04-28 22:05 . 2009-04-28 22:05 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-28 22:05 . 2009-04-28 22:05 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-28 22:05 . 2009-04-28 22:05 -------- d-----w c:\documents and settings\Cindy Robinson\Application Data\SUPERAntiSpyware.com
2009-04-28 22:05 . 2009-04-28 22:05 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 22:04 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 22:04 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 22:04 . 2009-04-28 22:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 03:48 . 2008-06-19 23:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-27 21:46 . 2009-04-27 21:46 104960 -c--a-w c:\windows\system32\dllcache\userinit.exe
2009-04-27 21:32 . 2009-04-27 21:32 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-04-27 03:32 . 2009-04-27 03:32 -------- d-----w c:\documents and settings\NetworkService\Application Data\zpswjtzo
2009-04-27 03:32 . 2009-04-27 03:32 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\zpswjtzo
2009-04-27 03:29 . 2009-04-27 03:29 -------- d-----w c:\documents and settings\Gabriel Robinson\Application Data\zpswjtzo
2009-04-27 03:29 . 2009-04-27 03:29 -------- d-----w c:\documents and settings\Gabriel Robinson\Local Settings\Application Data\zpswjtzo
2009-04-17 04:15 . 2009-04-17 04:15 -------- d-----w c:\documents and settings\Cindy Robinson\Local Settings\Application Data\PCHealth
2009-04-16 21:35 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:35 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 21:35 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:35 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:35 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:35 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 21:35 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:35 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 21:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-30 23:38 . 2004-08-04 10:00 143872 ----a-w c:\windows\system32\orzauriu.dll
2009-04-30 23:38 . 2004-08-04 10:00 104448 ----a-w c:\windows\system32\fjwrydy.dll
2009-04-27 22:29 . 2008-12-09 09:09 -------- d-----w c:\program files\Common Files\Panda Software
2009-04-27 06:44 . 2007-12-14 21:24 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 02:41 . 2008-02-18 00:11 69232 ----a-w c:\documents and settings\Gabriel Robinson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 08:22 . 2009-03-23 08:22 -------- d-----w c:\program files\eBay
2009-03-23 08:14 . 2007-12-14 21:15 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-10 22:16 . 2009-03-10 22:16 -------- d-----w c:\program files\Endicia
2009-03-10 22:01 . 2009-03-10 22:00 -------- d-----w c:\program files\Envelope Manager
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 10:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 719872 ----a-r c:\documents and settings\Gabriel Robinson\Application Data\sdra64.exe
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2005-03-30 01:01 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2005-03-30 01:23 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 20:37 . 2009-02-05 20:37 49152 ----a-r c:\windows\system32\inetwh32.dll
2009-02-05 20:37 . 2009-02-05 20:37 1044480 ----a-r c:\windows\system32\roboex32.dll
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2002-09-11 21:26 . 2008-04-12 22:06 63730 ----a-w c:\program files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]
2004-08-04 10:00 104448 ----a-w c:\windows\system32\dvmhvam.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 lrmwyqnt;lrmwyqnt;c:\windows\system32\drivers\lrmw yqnt.sys [2004-08-04 23424]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [2008-06-19 28544]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswF sBlk.sys [2009-02-05 20560]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: turbotax.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\ovfsthxdrvensks.sys 81408 bytes executable
c:\windows\system32\ovfsthxcvssvqpe.dll 18432 bytes executable
c:\windows\system32\ovfsthxewvbnobf.dat 587051 bytes
c:\windows\system32\ovfsthxlkuhmsjc.dat 43 bytes
c:\windows\system32\ovfsthxvyplciei.dll 18432 bytes executable
c:\windows\system32\ovfsthxxtmafkod.dll 59904 bytes executable

scan completed successfully
hidden files: 6

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2080)
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-04-30 16:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 23:48

Pre-Run: 19,510,329,344 bytes free
Post-Run: 22,582,583,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

188 --- E O F --- 2009-04-22 05:01

**evilfantasy** · #2 30th Apr 2009, 20:24

Do you know what these are?

Code:

2009-04-27 03:32 . 2009-04-27 03:32	--------	d-----w	c:\documents and settings\NetworkService\Application Data\zpswjtzo
2009-04-27 03:32 . 2009-04-27 03:32 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\zpswjtzo
2009-04-27 03:29 . 2009-04-27 03:29	--------	d-----w	c:\documents and settings\Gabriel Robinson\Application Data\zpswjtzo
2009-04-27 03:29 . 2009-04-27 03:29 -------- d-----w c:\documents and settings\Gabriel Robinson\Local Settings\Application Data\zpswjtzo

brunester · #3 30th Apr 2009, 21:09

Thanks for the reply,
I do not know what those are,
any ideas?

**evilfantasy** · #4 1st May 2009, 11:00

Yes I'm pretty sure that is where all of this came from.

Now download The Avenger by Swandog46 and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop
Run avenger.exe by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Comment:

Files to delete:
c:\windows\system32\VundoFixSVC.exe
c:\windows\system32\dvmhvam.dll
c:\windows\system32\drivers\lrmwyqnt.sys
c:\windows\system32\drivers\ovfsthxdrvensks.sys
c:\windows\system32\ovfsthxcvssvqpe.dll
c:\windows\system32\ovfsthxewvbnobf.dat
c:\windows\system32\ovfsthxlkuhmsjc.dat
c:\windows\system32\ovfsthxvyplciei.dll
c:\windows\system32\ovfsthxxtmafkod.dll

Folders to delete:
C:\VundoFix Backups
c:\documents and settings\NetworkService\Application Data\zpswjtzo
c:\documents and settings\NetworkService\Local Settings\Application Data\zpswjtzo
c:\documents and settings\Gabriel Robinson\Application Data\zpswjtzo
c:\documents and settings\Gabriel Robinson\Local Settings\Application Data\zpswjtzo

Registry keys to delete:
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]

Registry values to delete:
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]

Drivers to delete:
lrmwyqnt

Now click the Execute button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Add the Avenger log in your next post.

brunester · #5 4th May 2009, 23:10

hi sorry for the late reply, i was gone last weekend.
when i went to execute the script i got an error msg
""error: invalid registry syntax in command:
[Hkey_local_machine\~\browser helper objects\{0f7cb31f-19b1-494c-9cc1-df899b93474}]"
only registry keys under the hkey_local_machine hive are accessible to this program. Skipping line. (registry key deletion mode)
and then i hit ok to go anyways
and i got another error,
[-Hkey_local_machine\~\browser helper objects\{0f7cb31f-19b1-494c-9cc1-df899b93474}
skipping line""
then it reboot.

here is the log

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon May 04 23:02:19 2009

23:02:15: Error: Invalid registry syntax in command:
"[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
23:02:19: Error: Execution aborted by user!

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon May 04 23:06:10 2009

23:06:09: Error: Invalid registry syntax in command:
"[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
23:06:10: Error: Execution aborted by user!

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon May 04 23:07:38 2009

23:06:17: Error: Invalid registry syntax in command:
"[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
23:07:31: Error: Invalid syntax in command:
"[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]"
Skipping line. (Registry value deletion mode)

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\VundoFixSVC.exe" deleted successfully.
File "c:\windows\system32\dvmhvam.dll" deleted successfully.
File "c:\windows\system32\drivers\lrmwyqnt.sys" deleted successfully.

Error: file "c:\windows\system32\drivers\ovfsthxdrvensks.s ys" not found!
Deletion of file "c:\windows\system32\drivers\ovfsthxdrvensks.s ys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\ovfsthxcvssvqpe.dll" not found!
Deletion of file "c:\windows\system32\ovfsthxcvssvqpe.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\ovfsthxewvbnobf.dat" not found!
Deletion of file "c:\windows\system32\ovfsthxewvbnobf.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\ovfsthxlkuhmsjc.dat" not found!
Deletion of file "c:\windows\system32\ovfsthxlkuhmsjc.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\ovfsthxvyplciei.dll" not found!
Deletion of file "c:\windows\system32\ovfsthxvyplciei.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\ovfsthxxtmafkod.dll" not found!
Deletion of file "c:\windows\system32\ovfsthxxtmafkod.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\VundoFix Backups" deleted successfully.
Folder "c:\documents and settings\NetworkService\Application Data\zpswjtzo" deleted successfully.
Folder "c:\documents and settings\NetworkService\Local Settings\Application Data\zpswjtzo" deleted successfully.
Folder "c:\documents and settings\Gabriel Robinson\Application Data\zpswjtzo" deleted successfully.
Folder "c:\documents and settings\Gabriel Robinson\Local Settings\Application Data\zpswjtzo" deleted successfully.
Driver "lrmwyqnt" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

**evilfantasy** · #6 5th May 2009, 09:58

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F7CB31F-19B1-494C-9CC1-1DF899B93474}]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

Scan with Panda ActiveScan 2.0

This scanner requires Internet Explorer

Once you are on the Panda site click the Scan your PC now button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Select the appropriate Yes or No to receiving marketing information
Click the Free Online Scan button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report in your next reply.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Problem with Trojan Horse Downloader Generic 9	ogb	Virus, Spyware & Security	7	21st Nov 2009 13:06
Computer is Infected with Trojan.downloader and Will Not Delete Via MBAM	bvauilt	Virus, Spyware & Security	15	17th Apr 2009 15:43
I Can't Get Rid of TROJAN.VUNDO.H from my PC	theprodigycmb	Virus, Spyware & Security	13	16th Mar 2009 16:40
Trojan.vundo.h , trojan.agent , adware.mirar + MORE! :(	sillyarfer	Virus, Spyware & Security	1	14th Dec 2008 09:59
Whatever I do I can't get rid of TROJAN.VUNDO.H	redsowwer	Virus, Spyware & Security	25	3rd Nov 2008 18:10