Trojan.Vundo

[lwharton]

Malwarebytes continues to find and try to delete 7 infected files but the infected files continue to reappear. It says the files are deleted but they reappear every time I run a scan. I am getting a lot of redirects on my Google searches and assume these infected files are causing it? Below is the mbam log identifying the infected files.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4199

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/15/2010 12:34:05 PM

mbam-log-2010-06-15 (12-34-05).txt

Scan type: Full scan (C:\|)

Objects scanned: 232290

Time elapsed: 40 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 7

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khigfddrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcyyvwsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddaxxvdrv (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvvstqsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hggdaxdrv (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvvstqsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hggdaxdrv (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     

  [*]Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
  
• Click rootkit-tab, uncheck files option and then click scan.
  
• Don't check
  Show All
  box while scanning in progress!
  
• When scanning is ready, click Copy.
  
• This copies log to clipboard
  
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
  

[lwharton]

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     

  [*]Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
  
• Click rootkit-tab, uncheck files option and then click scan.
  
• Don't check
  Show All
  box while scanning in progress!
  
• When scanning is ready, click Copy.
  
• This copies log to clipboard
  
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
  

I followed the instructions above and am posting the three files.

DDS.txt -

DDS (Ver_10-03-17.01) - NTFSx86

Run by larry wharton at 11:17:40.25 on Mon 06/21/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3197.2317 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\mshta.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\mshta.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\testmb.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\larry wharton\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=c:\windows\system32\Userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.7.0.12\IPSBHO.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\larry wharton\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [qonnlmdrv] rundll32.exe "mlijhf.dll",s

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [mlkiifsys] rundll32.exe "jkhhhi.dll",DllRegisterServer

mRun: [rqpnmjdrv] rundll32.exe "mlijhf.dll",s

dRun: [apmanager.exe] c:\documents and settings\networkservice\application data\apmanager\apmanager.exe silent

dRun: [yabxxwsys] rundll32.exe "jkhhhi.dll",DllRegisterServer

dRun: [iihigedrv] rundll32.exe "mlijhf.dll",s

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: inmotionhosting.com\support

Trusted Zone: intuit.com\ttlc

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260203297265

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 jkhhhi.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1107000.00c\symds.sys [2010-5-20 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1107000.00c\symefa.sys [2010-5-20 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100522.001\BHDrvx86.sys [2010-5-22 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1107000.00c\cchpx86.sys [2010-5-20 501888]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1107000.00c\ironx86.sys [2010-5-20 116784]

R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.7.0.12\ccsvchst.exe [2010-5-20 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100617.005\IDSXpx86.sys [2010-6-19 331640]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100620.006\NAVENG.SYS [2010-6-21 85552]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100620.006\NAVEX15.SYS [2010-6-21 1347504]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-10-22 238080]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-23 79816]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-23 35272]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-23 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-23 40552]

=============== Created Last 30 ================

2010-06-11 20:19:44 0 ----a-w- c:\documents and settings\larry wharton\defogger_reenable

2010-06-11 16:41:54 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-11 16:00:22 131856 ----a-w- c:\windows\system32\MSADODC.ocx

2010-06-11 16:00:21 89088 ----a-w- c:\windows\system32\ProgressBar4.ocx

2010-06-11 16:00:21 512688 ----a-w- c:\windows\system32\XceedCry.dll

2010-06-11 16:00:21 423784 ----a-w- c:\windows\system32\XceedBkp.dll

2010-06-11 16:00:21 389120 ----a-w- c:\windows\system32\ACTSKN43.OCX

2010-06-11 16:00:21 28672 ----a-w- c:\windows\system32\systray.ocx

2010-06-11 16:00:21 265753 ----a-w- c:\windows\system32\AS-Exp2.ocx

2010-06-11 16:00:21 188416 ----a-w- c:\windows\system32\actsplash.ocx

2010-06-11 16:00:21 1435272 ----a-w- c:\windows\system32\Flash.ocx

2010-06-11 16:00:21 1140472 ----a-w- c:\windows\system32\IGUltraGrid20.ocx

2010-06-11 16:00:21 11012 ----a-w- c:\windows\system32\threadapi.tlb

2010-06-11 16:00:21 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

2010-06-11 16:00:20 0 d-----w- c:\program files\MalwareSweeper.com

2010-06-11 15:48:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-11 15:48:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-07 02:41:15 86528 ---ha-w- c:\windows\system32\ursqop.dll

2010-06-07 02:41:14 86528 ---ha-w- c:\windows\system32\jkhhhi.dll

2010-06-06 23:33:31 86528 ---ha-w- c:\windows\system32\hgfcbx.dll

2010-06-06 23:24:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 20:56:58 86528 ---ha-w- c:\windows\system32\ursppp.dll

2010-06-06 20:03:22 0 d-----w- c:\program files\Spybot - Search & Destroy2

2010-06-06 01:16:44 93696 ---ha-w- c:\windows\system32\mlijhf.dll

2010-06-06 00:44:11 140288 ----a-w- c:\windows\system32\pcre3.dll

2010-06-01 14:36:01 542 ----a-w- c:\windows\system32\405.js

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-06 04:01:43 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-01-05 21:13:07 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat

2008-10-23 01:22:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2009-02-23 21:15:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022320090224\index.dat

2009-02-28 02:56:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022720090228\index.dat

============= FINISH: 11:18:07.03 ===============

Attach.txt -

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/13/2010 2:15:37 PM

System Uptime: 6/21/2010 9:30:20 AM (2 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5N73-AM

Processor: Intel Pentium III Xeon processor | Socket 775 | 2500/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 696 GiB total, 632.03 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP76: 3/22/2010 1:51:10 PM - System Checkpoint

RP77: 3/23/2010 4:17:06 PM - System Checkpoint

RP78: 3/24/2010 5:05:03 PM - System Checkpoint

RP79: 3/25/2010 5:48:57 PM - System Checkpoint

RP80: 3/26/2010 6:20:49 PM - System Checkpoint

RP81: 3/27/2010 6:26:51 PM - System Checkpoint

RP82: 3/29/2010 9:41:29 AM - System Checkpoint

RP83: 3/31/2010 11:30:43 AM - System Checkpoint

RP84: 3/31/2010 2:59:59 PM - Installed Windows Media Player 10

RP85: 3/31/2010 3:00:55 PM - Software Distribution Service 3.0

RP86: 4/1/2010 3:08:04 PM - System Checkpoint

RP87: 4/2/2010 3:00:14 AM - Software Distribution Service 3.0

RP88: 4/3/2010 3:06:59 AM - System Checkpoint

RP89: 4/4/2010 4:06:59 AM - System Checkpoint

RP90: 4/5/2010 5:06:59 AM - System Checkpoint

RP91: 4/6/2010 5:00:14 PM - System Checkpoint

RP92: 4/7/2010 5:46:38 PM - System Checkpoint

RP93: 4/8/2010 6:20:56 PM - System Checkpoint

RP94: 4/9/2010 6:27:07 PM - System Checkpoint

RP95: 4/10/2010 6:28:16 PM - System Checkpoint

RP96: 4/11/2010 7:27:07 PM - System Checkpoint

RP97: 4/12/2010 8:27:07 PM - System Checkpoint

RP98: 4/13/2010 10:57:40 AM - Installed TurboTax 2009 wctiper

RP99: 4/14/2010 11:46:05 AM - System Checkpoint

RP100: 4/14/2010 9:38:17 PM - Software Distribution Service 3.0

RP101: 4/15/2010 10:14:38 PM - System Checkpoint

RP102: 4/17/2010 4:52:36 PM - System Checkpoint

RP103: 4/18/2010 5:22:15 PM - System Checkpoint

RP104: 4/19/2010 5:40:21 PM - System Checkpoint

RP105: 4/20/2010 6:13:06 PM - System Checkpoint

RP106: 4/21/2010 6:22:54 PM - System Checkpoint

RP107: 4/22/2010 6:23:02 PM - System Checkpoint

RP108: 4/23/2010 7:23:02 PM - System Checkpoint

RP109: 4/24/2010 8:23:03 PM - System Checkpoint

RP110: 4/25/2010 9:19:06 PM - System Checkpoint

RP111: 4/26/2010 10:13:20 PM - System Checkpoint

RP112: 4/27/2010 11:13:20 PM - System Checkpoint

RP113: 4/29/2010 12:13:20 AM - System Checkpoint

RP114: 4/30/2010 1:13:20 AM - System Checkpoint

RP115: 5/1/2010 2:13:20 AM - System Checkpoint

RP116: 5/2/2010 3:13:20 AM - System Checkpoint

RP117: 5/3/2010 4:13:20 AM - System Checkpoint

RP118: 5/4/2010 4:19:24 AM - System Checkpoint

RP119: 5/5/2010 5:19:23 AM - System Checkpoint

RP120: 5/6/2010 1:22:32 PM - System Checkpoint

RP121: 5/8/2010 11:28:33 AM - System Checkpoint

RP122: 5/9/2010 12:00:38 PM - System Checkpoint

RP123: 5/10/2010 1:57:25 PM - System Checkpoint

RP124: 5/11/2010 3:30:50 PM - System Checkpoint

RP125: 5/12/2010 3:00:15 AM - Software Distribution Service 3.0

RP126: 5/13/2010 4:38:23 PM - System Checkpoint

RP127: 5/14/2010 4:41:14 PM - System Checkpoint

RP128: 5/15/2010 5:40:07 PM - System Checkpoint

RP129: 5/16/2010 6:11:39 PM - System Checkpoint

RP130: 5/18/2010 5:54:54 PM - System Checkpoint

RP131: 5/20/2010 1:23:59 PM - System Checkpoint

RP132: 5/21/2010 1:48:10 PM - System Checkpoint

RP133: 5/22/2010 9:58:20 PM - System Checkpoint

RP134: 5/23/2010 10:33:56 PM - System Checkpoint

RP135: 5/24/2010 11:19:08 PM - System Checkpoint

RP136: 5/26/2010 12:50:58 PM - System Checkpoint

RP137: 5/26/2010 6:01:22 PM - Software Distribution Service 3.0

RP138: 5/27/2010 6:25:19 PM - System Checkpoint

RP139: 5/29/2010 1:53:40 PM - System Checkpoint

RP140: 5/30/2010 2:48:46 PM - System Checkpoint

RP141: 6/1/2010 12:29:04 PM - System Checkpoint

RP142: 6/2/2010 1:33:33 PM - System Checkpoint

RP143: 6/3/2010 3:29:58 PM - System Checkpoint

RP144: 6/4/2010 3:30:19 PM - System Checkpoint

RP145: 6/5/2010 4:22:20 PM - System Checkpoint

RP146: 6/6/2010 5:08:51 PM - System Checkpoint

RP147: 6/7/2010 5:11:03 PM - System Checkpoint

RP148: 6/7/2010 9:36:03 PM - Software Distribution Service 3.0

RP149: 6/8/2010 10:10:57 PM - System Checkpoint

RP150: 6/10/2010 7:08:37 AM - System Checkpoint

RP151: 6/11/2010 7:37:46 AM - System Checkpoint

RP152: 6/11/2010 2:06:10 PM - Software Distribution Service 3.0

RP153: 6/12/2010 2:46:03 PM - System Checkpoint

RP154: 6/13/2010 3:31:45 PM - System Checkpoint

RP155: 6/14/2010 10:46:28 PM - System Checkpoint

RP156: 6/16/2010 11:11:39 AM - System Checkpoint

RP157: 6/17/2010 12:06:09 PM - System Checkpoint

RP158: 6/19/2010 10:43:03 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.0.8

AnswerWorks 5.0 English Runtime

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

Coupon Printer for Windows

Google Chrome

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

ieSpell

iTunes

Java 6 Update 17

LightScribe 1.4.44.1

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

MobileMe Control Panel

MSN

Nero Suite

Norton AntiVirus

NVIDIA Drivers

OGA Notifier 2.0.0048.0

Platform

PowerDVD

QuickTime

Safari

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for 2007 Microsoft Office System (KB982312)

Security Update for 2007 Microsoft Office System (KB982331)

Security Update for Microsoft Office Excel 2007 (KB982308)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB982158)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB969613)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB982135)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Spybot - Search & Destroy

Start and Run a Coffee Bar

TurboTax 2008

TurboTax 2008 WinPerFedFormset

TurboTax 2008 WinPerProgramHelp

TurboTax 2008 WinPerReleaseEngine

TurboTax 2008 WinPerTaxSupport

TurboTax 2008 WinPerUserEducation

TurboTax 2008 wohiper

TurboTax 2008 wrapper

TurboTax 2009

TurboTax 2009 wctiper

TurboTax 2009 WinPerFedFormset

TurboTax 2009 WinPerReleaseEngine

TurboTax 2009 WinPerTaxSupport

TurboTax 2009 wohiper

TurboTax 2009 wrapper

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Windows Internet Explorer 8 (KB975364)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VIA Platform Device Manager

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 8

Windows Live OneCare safety scanner

Windows Media Format 11 runtime

Windows Media Player 10

==== End Of File ===========================

And finally,

GMERlog -

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-21 22:10:36

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\LARRYW~1\LOCALS~1\Temp\ugddqpog.sys

---- System - GMER 1.0.15 ----

SSDT 89A196D0 ZwAlertResumeThread

SSDT 89A1A6D0 ZwAlertThread

SSDT 88AD3900 ZwAllocateVirtualMemory

SSDT 89A116D0 ZwAssignProcessToJobObject

SSDT 8A43F888 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB59F9210]

SSDT 88AC7E80 ZwCreateMutant

SSDT 88AC2228 ZwCreateSymbolicLinkObject

SSDT 898076F0 ZwCreateThread

SSDT 89A126D0 ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB59F9490]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB59F99F0]

SSDT 88AD3B98 ZwDuplicateObject

SSDT 88AD3060 ZwFreeVirtualMemory

SSDT 89A176D0 ZwImpersonateAnonymousToken

SSDT 89A186D0 ZwImpersonateThread

SSDT 89E686D0 ZwLoadDriver

SSDT 88AD2EF0 ZwMapViewOfSection

SSDT 89A166D0 ZwOpenEvent

SSDT 88AD3E78 ZwOpenProcess

SSDT 89A206D0 ZwOpenProcessToken

SSDT 89A146D0 ZwOpenSection

SSDT 88AD3CE8 ZwOpenThread

SSDT 88AC28F8 ZwProtectVirtualMemory

SSDT 89A1B6D0 ZwResumeThread

SSDT 89A1E6D0 ZwSetContextThread

SSDT 88AD2C18 ZwSetInformationProcess

SSDT 89A136D0 ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB59F9C40]

SSDT 89A156D0 ZwSuspendProcess

SSDT 89A1C6D0 ZwSuspendThread

SSDT 89A216D0 ZwTerminateProcess

SSDT 89A1D6D0 ZwTerminateThread

SSDT 89A1F6D0 ZwUnmapViewOfSection

SSDT 88AD34F0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DD0 8050466C 4 Bytes CALL A4D8F3AD

? SYMDS.SYS The system cannot find the file specified. !

? SYMEFA.SYS The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8462360, 0x37399D, 0xE8000020]

init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB5C82280]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1596] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device B2A0CD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Is this enough information to help get rid of Trojan.Vundo ?

Why does Malwarbytes think the infected files are deleted when they not really deleted.

Thanks,

lwharton

[Blade81]

Hi,

Please use -button while replying to make sure previous post isn't quoted.

Why does Malwarbytes think the infected files are deleted when they not really deleted.

Vundo is a sticky infection that won't die that easily. It doesn't need more than one part of it to survive to spread the infection back.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
2. Click Yes to allow ComboFix to continue scanning for malware.
   

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.