Jump to content

Recommended Posts

Hi guys,

I've seen this problem around but wanted a machine specific solution. I believe I have the Vundo virus, but could be wrong. I have the following anti-virus running but none can detect/remove:

Spybot

Prevx

Ad-aware

Clamwin

Avast!

When I install/open Malwarebytes I get the following error:

Runtime error!

Program: C:\Program Files\Malwarebytes' Anti Malware\mbam.exe

Hijack this log is as follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:28:33 PM, on 20/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SLClient.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Venturi Client\Client\ventc.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Venturi Client\squid\ventcsquid.exe

C:\Program Files\Venturi Client\squid\ventcdnsserver.exe

C:\Program Files\Venturi Client\squid\ventcdnsserver.exe

C:\Program Files\Venturi Client\squid\ventcdnsserver.exe

C:\Program Files\Venturi Client\squid\ventcdnsserver.exe

C:\Program Files\Venturi Client\squid\ventcdnsserver.exe

C:\Program Files\Venturi Client\squid\ventcunlinkd.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.railcorp.nsw.gov.au

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://83.149.115.146/info.png?cmp=fkfrt&a...=1&ver=4057

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

O2 - BHO: (no name) - {3653759c-f2f5-4cb9-b615-9128e5acddb4} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_08\bin\npjava131_08.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_08\bin\npjava131_08.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O10 - Unknown file in Winsock LSP: vwlsp.dll

O10 - Unknown file in Winsock LSP: vwlsp.dll

O10 - Unknown file in Winsock LSP: vwlsp.dll

O10 - Unknown file in Winsock LSP: vwlsp.dll

O14 - IERESET.INF: START_PAGE_URL=http://intranet.railcorp.nsw.gov.au

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197889198515

O20 - Winlogon Notify: crypt - C:\WINDOWS\

O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Background Intelligent Transfer Service (bits) - Unknown owner - C:\WINDOWS\

O23 - Service: Windows Network Data Management System Service (bndmss) - Unknown owner - C:\WINDOWS\system32\bndmss.exe (file missing)

O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Program Files\Prevx\prevx.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (idrivert) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee Framework Service (mcafeeframework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: ScriptLogic Service (slclient) - ScriptLogic Corporation - C:\WINDOWS\SYSTEM32\SLClient.exe

O23 - Service: Venturi Client (venturiclient) - Venturi Wireless - C:\Program Files\Venturi Client\Client\ventc.exe

--

End of file - 7755 bytes

YOUR HELP IS MUCH APPRECIATED!!

Link to post
Share on other sites

Hi all,

further update: I managed to get malwarebytes going using the hotfix. Removed some 15 pieces of spyware/malware (including Vundo as suspected). Only remaining issue is turning back on system restore and automatic updates. When I attempt to do so in "services.msc" I get an "Access is Denied" message. Think this may be because the Trojans altered some paths/permissions in the registry. Reluctant to regedit. Will combofix or vundofix help? Please advise if you need to see updated logs.

Thanks!

Link to post
Share on other sites

  • Staff
Hi all,

Will combofix or vundofix help? Please advise if you need to see updated logs.

Thanks!

Please do not run any tools unless specifically told to do so by one of our trained specialists.

Someone will be along a soon as possible, please be patient.

Link to post
Share on other sites

Please do not run any tools unless specifically told to do so by one of our trained specialists.

Someone will be along a soon as possible, please be patient.

hi, I've managed to solve the issue by fixing the corrupted wuauserv and BITS keys in my registry. Automatic updates back up and running. You can delete this thread if you wish.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.