Jump to content

Can't seem to make Vundo go away

Recommended Posts

I've read all the articles I can find on Vundo, tried many things, and keep coming back to mbam as something that at least puts it at bay for a couple days before it acts up again. But, I can't make it go away for good.

Symptoms started with popups - made that variant go away.

Then all links in a google search get rewritten to odd addresses. Sometimes the sites seem worthwhile - too bad they are attached to a virus.

Now I have invisible iexplorer processes starting that play commercials plus the google search rewriting plus system slowdown plus blue screens for apparently no reason.

To make it worse, I can't boot safe mode - I get to mup.sys and it reboots.

And... If I try an XP reinstall it has the "can't find the CD" after it loads the drivers. So, that's kinda a no go.

I can't run mbam.exe, so I go to mbam.malwarebytes.org/program/random.php to pick up random executables which seem to run if I've run rkill first.

Running mbam right now showed:

Trojan.Vundo.H File C:\Windows\ipahense.dll

Trojan.Vundo.H Registry Data HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr

ol\LSA\Notification Packages Data: ipahense.dll

Trojan.Hiloti Memory Module C:\Windows\ipahense.dll

Rogue.Installer File C:\Windows\temp\settdebugx.dll

Rogue.Installer Registry Value HKEY_USERS\DEFAULT\SOFTWARE\Microsoft\Windows\C

urrentVersion\Run\settdebugx.exe Value: settdebug.exe

Trojan.Downloader File C:\Windows\temp\bvmmde.exe

Trojan.Vundo File C:\Windows\temp\Installer.exe

Trojan.FakeAlert File C:\Windows\temp\wscsvc32.exe

Rogue.MalwareDefense Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense


Trojan.FakeAlert File C:\Windows\system\warning.html

Reboot, and rerun shows:

Trojan.Vundo Memory Module \\?\globalroot\systemroot\system32\H8SRT xflsivpnlk.dll

Trojan.Vundo File \\?\globalroot\systemroot\system32\H8SRT xflsivpnlk.dll


At the login screen, I receive a Windows Corrupt File error for C:\avenger.txt.

After login, I receive a RUNDLL error: An exception occurred while trying to run "C:\Windows\system32\NvCpl.dll,NvStartup"

And, I always get a file opened with notepad that contains:



This is an XP Home Ed SP3 box.

Since it always seems to be asked for... The HijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:38:10 PM, on 1/9/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:








C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe




C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe


C:\Program Files\EnergyInc\TEDFootprints\TEDService.exe

C:\Program Files\TVersity\Media Server\MediaServer.exe

C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe



C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\iTunes\iTunesHelper.exe



C:\Program Files\Win2VNC\win2vnc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O1 - Hosts: ::1 localhost

O1 - Hosts: antiviraprof-2009.microsoft.com

O1 - Hosts: antiviraprof2009.com

O1 - Hosts: www.antiviraprof2009.com

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TextAloud\TAForIE.dll

O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [umeyovuviyakid] rundll32.exe "C:\WINDOWS\aduwocucaf.dll",Startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Launch PicLens - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\PicLens.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235939932859

O16 - DPF: {B33E9AC8-169E-4346-BCD9-C98A8BE3F1E9} - http://piclens.com/shared/plinstll.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game03.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O20 - AppInit_DLLs: dehaseha.dll c:\windows\ c:\windows\system32\wurakiyi.dll

O21 - SSODL: yizejuwad - {2b9a5f9a-198d-4c63-b323-65093cb8573b} - c:\windows\system32\wurakiyi.dll (file missing)

O21 - SSODL: sazisuhiw - {7e592629-6f26-4d1a-8a51-0f9e35f28450} - c:\windows\system32\wurakiyi.dll (file missing)

O21 - SSODL: dabatunis - {014af5a1-8752-47bd-a763-894c5fc25fea} - c:\windows\system32\wurakiyi.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {2b9a5f9a-198d-4c63-b323-65093cb8573b} - c:\windows\system32\wurakiyi.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {7e592629-6f26-4d1a-8a51-0f9e35f28450} - c:\windows\system32\wurakiyi.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {014af5a1-8752-47bd-a763-894c5fc25fea} - c:\windows\system32\wurakiyi.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TEDService - Unknown owner - C:\Program Files\EnergyInc\TEDFootprints\TEDService.exe

O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe


End of file - 9496 bytes

Link to post
Share on other sites

Hello and welcome to malwarebytes! My name is BHowett and I will be helping you to get sorted if you still need help.

Sorry for the delay, but when users reply to you that are not allowed to it leaves the appearance that your getting help even though your really not.

Please do the following if you still need help, or just let me know if you already took care of it

Link to post
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.