I've been trying for days (and in some cases weeks) to clean this system. Along with Vundo H I've also had the follwing files showing up with MBAM unable to remove them:
C:\WINDOWS\system32\drivers\mrxdavv.sys
C:\WINDOWS\system32\kwave.sys
Here's the HJT log.....thanks so much in advance for the help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:36 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\a-squared\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {9b48c7ad-37b5-45d5-95c3-86245d2f32d4} - C:\WINDOWS\system32\yemavema.dll (file missing)
O2 - BHO: (no name) - {AC34A03C-9F6B-4710-BA1B-A1B62F4FEA89} - C:\WINDOWS\system32\geBrsqrP.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vetemikolu] Rundll32.exe "C:\WINDOWS\system32\pubegadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [vetemikolu] Rundll32.exe "C:\WINDOWS\system32\pubegadi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [vetemikolu] Rundll32.exe "C:\WINDOWS\system32\pubegadi.dll",s (User 'NETWORK SERVICE')
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\medemovo.dll c:\windows\system32\jivazona.dll
O20 - Winlogon Notify: acpiz - acpiz.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
--
End of file - 3252 bytes
Full Version: Need help removing vundo and possibly others
Quick update, after almost getting infected twice with that antivirus worm I ran MWB again and it seems any trace of vundo is gone however thse are still showing up:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H)
C:\WINDOWS\system32\kwave.sys (Trojan.Agent)
Here's the latest HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:35 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\a-squared\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {AC34A03C-9F6B-4710-BA1B-A1B62F4FEA89} - C:\WINDOWS\system32\geBrsqrP.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab
O20 - AppInit_DLLs: c:\windows\system32\jivazona.dll
O20 - Winlogon Notify: acpiz - acpiz.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
--
End of file - 2797 bytes
Thanks
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H)
C:\WINDOWS\system32\kwave.sys (Trojan.Agent)
Here's the latest HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:35 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\a-squared\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {AC34A03C-9F6B-4710-BA1B-A1B62F4FEA89} - C:\WINDOWS\system32\geBrsqrP.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab
O20 - AppInit_DLLs: c:\windows\system32\jivazona.dll
O20 - Winlogon Notify: acpiz - acpiz.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
--
End of file - 2797 bytes
Thanks
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.