4 replies to this topic

[ampersand]

Hi guys,

I've seen this problem around but wanted a machine specific solution. I believe I have the Vundo virus, but could be wrong. I have the following anti-virus running but none can detect/remove:

Spybot
Prevx
Ad-aware
Clamwin
Avast!

When I install/open Malwarebytes I get the following error:

Runtime error!

Program: C:\Program Files\Malwarebytes' Anti Malware\mbam.exe

Hijack this log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:33 PM, on 20/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SLClient.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi Client\Client\ventc.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Venturi Client\squid\ventcsquid.exe
C:\Program Files\Venturi Client\squid\ventcdnsserver.exe
C:\Program Files\Venturi Client\squid\ventcdnsserver.exe
C:\Program Files\Venturi Client\squid\ventcdnsserver.exe
C:\Program Files\Venturi Client\squid\ventcdnsserver.exe
C:\Program Files\Venturi Client\squid\ventcdnsserver.exe
C:\Program Files\Venturi Client\squid\ventcunlinkd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.railcorp.nsw.gov.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://83.149.115.146/info.png?cmp=fkfrt&a...=1&ver=4057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
O2 - BHO: (no name) - {3653759c-f2f5-4cb9-b615-9128e5acddb4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_08\bin\npjava131_08.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_08\bin\npjava131_08.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.railcorp.nsw.gov.au
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197889198515
O20 - Winlogon Notify: crypt - C:\WINDOWS\
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (bits) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Network Data Management System Service (bndmss) - Unknown owner - C:\WINDOWS\system32\bndmss.exe (file missing)
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (idrivert) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (mcafeeframework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ScriptLogic Service (slclient) - ScriptLogic Corporation - C:\WINDOWS\SYSTEM32\SLClient.exe
O23 - Service: Venturi Client (venturiclient) - Venturi Wireless - C:\Program Files\Venturi Client\Client\ventc.exe

--
End of file - 7755 bytes

YOUR HELP IS MUCH APPRECIATED!!

[ampersand]

Hi all,

further update: I managed to get malwarebytes going using the hotfix. Removed some 15 pieces of spyware/malware (including Vundo as suspected). Only remaining issue is turning back on system restore and automatic updates. When I attempt to do so in "services.msc" I get an "Access is Denied" message. Think this may be because the Trojans altered some paths/permissions in the registry. Reluctant to regedit. Will combofix or vundofix help? Please advise if you need to see updated logs.

Thanks!

[TeMerc]

ampersand, on Jul 20 2009, 07:14 PM, said:

Hi all,

Will combofix or vundofix help? Please advise if you need to see updated logs.

Thanks!

Please do not run any tools unless specifically told to do so by one of our trained specialists.

Someone will be along a soon as possible, please be patient.

[ampersand]

TeMerc, on Jul 21 2009, 03:53 AM, said:

Please do not run any tools unless specifically told to do so by one of our trained specialists.

Someone will be along a soon as possible, please be patient.

hi, I've managed to solve the issue by fixing the corrupted wuauserv and BITS keys in my registry. Automatic updates back up and running. You can delete this thread if you wish.

[TeMerc]

That's great, glad it was resolced, we can now close this topic