one remaining issue re: trojan.vundo

[neda]

thank you so much in advance-- this is a great resource.

my remaining issue is that im having trouble removing one last 'trojan.vundo registry key.' i get the 'certain items could not be removed!' message and after manually restarting the computer, it still remains.

here is the log:

Malwarebytes' Anti-Malware 1.31

Database version: 1500

Windows 5.1.2600 Service Pack 3

12/14/2008 2:38:15 PM

mbam-log-2008-12-14 (14-38-15).txt

Scan type: Quick Scan

Objects scanned: 44632

Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[GT500]

Please run HijackThis, save a log, and copy and paste the contents of the log into a reply.

[neda]

thank you for the quick reply:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:51:20 PM, on 12/14/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {8FD1F117-72F8-47A2-AA0F-1CF51A01825D} - C:\WINDOWS\system32\qoMfcBSk.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O20 - AppInit_DLLs: bcymyi.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 5694 bytes

[GT500]

Your system looks fairly clean. It's possible that permissions are messed up on that registry entry, or that there is a rootkit protecting it. Have you run a rootkit check?

Here are 4 things that were in your HijackThis log that can be removed. Simply put a check in the box next to each item I list, and then click the 'Fix' button.

O2 - BHO: (no name) - {8FD1F117-72F8-47A2-AA0F-1CF51A01825D} - C:\WINDOWS\system32\qoMfcBSk.dll (file missing)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O20 - AppInit_DLLs: bcymyi.dll

[neda]

thank you-- ive made the fixes you suggested via hijackthis-- could you suggest a rootkit check program?

[GT500]

thank you-- ive made the fixes you suggested via hijackthis-- could you suggest a rootkit check program?

There are a ton of them out there, but RootKit-Unhooker has always been good. Also, GMER is preferred by many of the experts here.

Note that rootkits are not all bad. There are many good ones. Just post a log here, and let us see what it finds.

[neda]

Thanks once again for the quick response and support. Here is the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-12-14 22:14:15

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT 822C7490 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEFB86350]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEFB86580]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat EE589D20

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32@ C:\WINDOWS\system32\khfGvssR.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32@ThreadingModel Both

---- EOF - GMER 1.0.14 ----

[GT500]

I think C:\WINDOWS\system32\khfGvssR.dll might be the problem. Not finding anything on Google about it at least.

If you know how to start your computer in Safe Mode, then do so, and cut and paste that file onto your desktop. Then boot back up into normal mode and upload the file to Malwarebytes UploadNET.

If anything bad happens after you restart your computer, then you can go back into Safe Mode and put the file back.

I can explain how to start your computer in Safe Mode if needed.

[neda]

Hi GT, would you mind explaining how to run in safe mode? I'm just getting my footing on all this. Many thanks.

[GT500]

You can get into Safe Mode by pressing the F8 key just as Windows starts to load. Typically this involved repeatedly tapping the F8 key right after the BIOS POST ends.

I would believe you are on a Dell, and if so you will see a blue Dell logo screen when you restart/turn on your computer. There may also be some white text in the lower left or upper left corners of the screen after that Dell logo disappears. The point at which you would start tapping that F8 key is when the screen goes black, and you have a white blinking cursor in the upper left corner of your screen. There's only a two or three second period where it will wait for the F8 key to be pressed, so don't worry if you miss it, just reboot and try again.

When you press the F8 key at the right time, the computer will (after a moment pause) display a menu. Simply use the arrow keys on your keyboard to scroll up and highlight the "Safe Mode" option, press 'Enter', and then press 'Enter' again to confirm your version of Windows. The screen will look like this:

If you get any other screen after pressing F8 (especially if it has a blue background), then simply press Ctrl+Alt+Del all at the same time to restart your computer and try again.

Once Windows is started up in Safe Mode it gives you a message about using the System Restore, and asks you if you what to continue in Safe Mode. Tell it 'Yes', because the System Restore will not help you. Also note that all of your icons will be really large, so do not worry because this is normal.

If you have any trouble using Safe Mode to find and remove the file in question, then please let me know.

[neda]

thanks GT-- got into safe mode just fine, pulled up C:\WINDOWS\system32 and cant find khfGvssR.dll. alphabetically, it should be right between keymgr.dll and kmddsp but its nowhere to be found... ideas?