Removing W32.Spybot.Worm from a Windows Vista machine. Please help.

Thanks. I will do that now. I guess I will have to connect to the internet from the infected laptop then. Will be back in a few minutes.

If you have another PC just put it onto a flash drive or CD and run/install from there. If you do have to connect just do so quickly and I don't think the risk is too high of further damage at this point. If so we'll deal with it...

One thing, right after I started running the program, I got this message: For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

   notepad C://Windows/System32/drivers/etc/hosts

and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot.

For Vista, simply exist HijackThis and run as administrator (this is shortened, I closed the program before copying it).

I tried to do that but it said HiJack this was already running, even though I closed. Im restarting now to try again. Please let me know if there is anything I have to do in this case.

Thank you very much.

I got the log file. Ill upload it now.

Yes, normal message for Vista...not a problem. You can just OK it and HJT will finish running.

Ok file uploaded. I hope it gives you a good idea about what's happening.

Thanks a lot buddy. :)

This is the direct link: http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=6274

Thank you very much. I dont know how to delete files in HijackThis but I will try to do it now.

Not seeing anything there...though HJT does not see everything by any means. Have you used the removal instructions at Symantec?
http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99&tabid=3

Does it give you the name of the file(s) and where it's located?

You could also try running Kaspersky online scanner. It won't fix anything but it is VERY thorough and will identify where it is. It does take a while to run but if all else fails this should find it.

http://www.kaspersky.com/virusscanner]Kaspersky Online Scanner

Make sure to do a full system scan (My Computer). Save the report at the end and upload for review.

Sorry, Kaspersky link I gave is broken. Here is correct one.

http://www.kaspersky.com/virusscanner

Run hijackthis again and put a put a check in the boxes next to what you want to delete then click FIX CHECKED near bottom left

Thank you very much guys. I am working on it now.

>""O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe""<

Good catch Firstedition0, missed that...thanks.

>""O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)""<

This is Windows Live Messenger...always shows "no file", not sure why?

Ok its great to have two experts here. :) I have already deleted the first one. Should I delete the second then or does it belong to the harmless Live Messenger?

You can leave the
>""O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)""<
as it is showing deactivated in hijackthis if you wish

Thanks again. Should I go to http://www.kaspersky.com/virusscanner and do what IndiGenious recommended now or is this unnecessary now that you found the part you asked me to remove? If I should skip that point, should I go ahead with http://www.spywareremove.com/removeDownloadWare.html?

Thank you IndiGenus and Firstedition0. I really appreciate it.

Do the scan first as IndiGenus asked after scan see if anything is left by doing the Downloadware removal instructions.
then please do a new hijackthis log and post it back here along with anythig relevent from Kaspersky scan

Ok Ill do so. Thanks.

Its still scanning. Please bear with me guys. :)

Online scans can take some time. As it is I will be away from computer for a while., (got to work at some point).

Hehe thanks. Yes me too. It is only at 10% now (was stuck at 9% for a long time and has been stuck at 10% for a while now as well, I hope that is normal). I am a bit worried because now the connection is on and I fair that the virus will exploit the system. All my personal information are there.

I could be wrong dudio but I don't think you have any backdoors or bots going on here. Unless they are well hidden with a rootkit....I wouldn't worry to much about further exploits. And yes Kaspersky can take quite a while, especially with the amount of files on a Vista machine.

Thanks IndiGenus. I really hope there is no serious security threat as you think. The program has been running for 46 minutes and only 29% has been completed. Incredibly slow and I am using a 3MB connection. I will wait for it and keep you updated. Hope that you will still be around. :)

Thanks again for your time and effort.

Ya it's not really the connection speed it's more of how many files total, and how many infections...

Might be a bit late but just thought of something. Many times these things are just in restore points. Had you tried just resetting system restore to see if that removes them? Kaspersky will also identify any there too...

No I have not. I have no idea about how that is done. The Symantec page that talks about W32.Spybot.Worm mentions something like this but it only gives the instructions for XP and ME. I have not found a single website where they teach you how to fix this in Vista and that is why I am here.

Anyway, 33% is completed so far nothing is found. I really hope Kaspersky finds everything out so that we proceed to eliminating them.

Thanks IndiGenus,

I'll cheat here on this one....Google is your friend.

Vista System Restore:
Add to instructions...after turning it off and before turning back on again, restart your computer.

http://vistasupport.mvps.org/turn_off_system_restore.htm

Thanks, I will check that link now. Kaspersky has finished the scan (last time I looked it was 49% completed, but I looked now and it is finished. Don't know why the second 50% finished so fast. I hope nothing is wrong). It says that No malware has been detected. Is that a reliable result or could they be hidden now? In any case, I will save the report and post it in a minute.

Im trying to ''Save the report as'' and it is not allowing me to save it anywhere. It says it should save it in the temporary files for security reasons. However, after I do save it and it opens the temporary files folder, I can not find it anywhere. Any advice please? Im using IE7. Thanks.

If it didn't find anything then there really isn't anything to report...

I think the results are reliable.

Try ID: 20514171 from Firstedition0 and also system restore if you haven't already. Wondering if false positive. Does Norton give you any details? File? Location?

Norton did give me details but it is not finding anything now. I will check that now and let you know. Thanks.

Both files infected were in the recycle bin. Both of them end with .exe and I have not excuted them. My recycle bin is empty now and a fast analisis does not find anything. I have also defragmented the computer yesterday to empty all unnecessary files etc. Does this anything? Keep in mind that Norton couldnt do anything to any of the two files Im finding this information now under the Unresolved problems (its in Spanish, so that I think is the English translation) in the History section.

Thanks.

Ahh! Ya if you didn't execute them then you likely were never really infected. Although having them is NOT a good thing. Just to clear up, defragging does not remove any files, only organizes. If you don't like the Windows way of doing it there are a couple of nice free tools for cleaning up temp files, recycle bin, cache, ect....

ATFCleaner: http://www.atribune.org/content/view/19/2/
CCleaner: http://www.ccleaner.com/

Both are good. I use both myself at different times, about once a week.

I hope that is the case! Anyway, I have just disabled system restore and restarted. When I checked system restore, it was on and it said that the last system restoration took place around two hours ago. Is this normal? Now after deactivating, it says point of restoration is nothing (or something similar in English, Spanish translation again). Should I turn it on now after I have restarted? Also, should Norton find the virus again if it is still there? I remember there were two alerts from Norton when I opened that rar file saying that worm (name) was blocked and that the system is safe. Thats why I made a full system check and found the viruses.

Thanks for your help IndiGenus. Im leaving to a place where there is no computer service in two days and tomorrow is a holiday so youre really saving my Christmas as my computer is very essential for me. Thanks!

You're welcome.

You should turn system restore back on, yes.

I would also recommend updating and running a full system scan with Norton just to make sure, preferably in Safe Mode as they advise on their site.

Sounds like Norton actually blocked the files from infecting your PC, but did not remove them. So I think you're OK. Wish everyone was this vigilant about these things.

Good luck and Happy Holidays!
Dave

Thanks again. :) I will do a full system scan in Safe Mode now and see what happens. If nothing is found it means no risks are there and I can use my laptop without any worries, right? I hope so.

Anyway, I will keep this opened just in case and I will report back when everything is completed. Take care buddy and Happy Holidays to you too!

One thing. I have installed SpyHunter and along with 7 pretty harmless cookies (annoying brands I know like adbrite and DoubleClick), it found a trojan called Trojan.Vundo. It explains it in the following way:

Vundo is a trojan downloader which may secretly install itself on your PC via browser exploits and other security holes. Once it is active on your computer, Vundo will download and display large number of popup adverts. In addition, this parasite may download and install additional obtrusive adware programs. This trojan can be extremely difficult to remove manually, and may cause serious system instability and PC slowdowns.

How can I remove that? SpyHunter wont allow me to remove it before registering and buying a copy. Is it worth it to buy a copy and remove it this way or should I remove it using another method? Hope you can help. Thanks.

I have not used Spy Hunter. Is is not on the rogue list but I honestly would not trust it and would certainly never pay for it myself. There are much better trusted apps like SpySweeper and Spyware Doctor.

Vundo is a nasty trojan that needs special tools to remove. Even the other programs I mentioned won't remove it. You need a special tool like Vundofix or even better now Combofix. And these should be run with an experts help.

You can post another HJT log for us look at. Vundo will show in there (or it will hide 02 and 020 entries which will indicate it's presence) ...  Vundo will cause severe system slow down, pop ups (even when not using IE), and redirects. Are you experiencing any of these?

Just found a review on Spy Hunter here. Not good...

http://www.download.com/SpyHunter/3000-2144_4-10671093.html

Thanks again. No, Im not experiencing any slow downs, pop ups, or anything alike. Im experiencing nothing weird at all. Ill make a HJT log now and post it.

So even if I get Combofix I wouldnt be able to fix it myself?

Here is the newest Hijackthis log. Please take a look and let me know what has to be done if you can. Thanks. :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:07, on 21/12/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
 
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Leyre\Desktop\HiJackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=ES_ES&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=ES_ES&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=ES_ES&c=73&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Servicio de red')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Programador de LiveUpdate automático - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 
--
End of file - 12807 bytes
                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:

I will be away for around three hours. I hope you will be around then. Thanks a lot.

I'm not seeing any Vundo there. Does Spy Hunter give you any info. regarding the infection? File? Location? ect.....

At this point I would not trust Spy Hunter. I plan on running some tests later with it on a freshly installed OS I have. If you had Vundo you would know it....it renders PC's pretty much useless.

C:\Windows\system32\wininit.exe

The above looks like a nasty file, you might like to check that one out --> http://virusscan.jotti.org/
http://www.bleepingcomputer.com/startups/wininit.exe-14276.html

""C:\Windows\system32\wininit.exe""

Yes, definitely check...I thought it was OK on Vista though??? Not sure...

C:\Windows\system32\wininit.exe

Hijackthis shows above as Vista related - Starts essential Windows processes
So should be safe.

Hi again everybody,

Thanks again for your time and willingness to help. Here is the ''Infection Details'' provided by SpyHunter regarding the trojan:

Item name    Object name    Type                 Location
igfxcui         Trojan.Vundo   Registry Key    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\N...    It does not expand it and I found no why to find out the remaining part of the Trojan's location.

On the other hand, is wininit.exe good or bad now? Should I do anything about it? If I should, what do I have to do?

Thank you very much everybody. Looking forward to your valuable help.

Yes, wininit.exe could very well belong to Vista, I don't have Vista that's why I suggested to check that file out, since in XP it's flagged as bad.

I also don't trust any automated analyzers, that's why I was curious of the legitimacy of that file, :)

I went to the source of wininit and the creation and modification date is similar to most of the other files there (Novemeber 2nd 2006). Just wanted to include that just in case.

Ok thanks rpggamegirl. :) I posted my last post before reading yours. Do you still think I should check it with the online scanner you recommended or is it unnecessary now?

winlogon\notify key is ignored in Vista so you don't need to worry about it if that's where the vundo is.

Some scanners might be able to show the whole winlogon\notify key.
In Vista hijackthis can take care of the vundo infection usually, if the entries are showing by merely fixing the relevant entries.

But since winlogon\notify key is ignored in Vista, there is no harm even if vundo uses that key. Though it is good to remove it if you can.


I've googled and saw some Vista users with that file...so it looks like that's a legit file...
But if I may ask.... please check it out if it's not too much trouble......that would then help me decide... for future reference.

>>I went to the source of wininit and the creation and modification date is similar to most of the other files there (Novemeber 2nd 2006). Just wanted to include that just in case.<<

sorry didn't see your post.......well, it looks like it's legit then, thanks!

Thanks YOU :) So there is currently nothing to worry about? Can you please recommend a good scanner to make sure everything is Ok now and try to remove the Trojan? I meanwhile will make a full scan with Norton Security Center in the Safe Mode and will post back the results here. Is there anyway this virus can ''hide'' from Norton? And finally, if everything is ok now, what is the best (or combination of) software I should use to protect my PC. Any tips and help would be great.

Thanks again. I REALLY appreciate it.

>""Item name    Object name    Type                 Location
igfxcui         Trojan.Vundo   Registry Key    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\N...""<

igfxcui is part of an Intel Graphics Controller....Why Spy Hunter flags this as bad is beyond me. I would scrap it and go for a proven legit AS program. Here are a couple of good free/trial ones.

AVG: http://downloads.grisoft.cz/softw/70/filedir/inst/avgas-setup-7.5.1.43.exe
SuperAntiSpyware: http://www.superantispyware.com/superantispywarefreevspro.html

Thanks IndiGenus. I will uninstall it and try the ones you mentioned. Ill post back the results when Im finished.

Ooops..didn't see InDiGenus post sorry....  please ignore repeated suggestions.

Thanks rpggamergirl :). I almost never use IE but I will take a look at AVG as both you and IG recommended it. Thanks again.

Here is an update: I have scanned the whole system with AVG Anti-Spyware and have found 15 objects and 31 traces (using AVG's terminology). I am starting to feel better and worry less as he last two different program scans have not found W32.Spybot.Worm. Fourteen out of the fifteen objects found are cookies that I recognise (except of one named ''TrackingCookie.2o7'' and another named ''TrackingCookie.Atdmt''). The remaining object is named ''Adware.RogueSuspect''. All the objects have a risk rating of medium.

I can not find any way to remove or repair the infected files in AVG Anti-Spyware. Please advice in what has to be done now. Should these files be deleted? Do you need to know the locations? How can I delete them? Are these results accurate and should I not worry about any serious risk at this point?

Looking forward to your valuable advice. Thanks again. I really appreciate it.

Cookies are totally harmless...

In AVG make sure to set up to quarantine files..

Before scanning....
Click on the Settings tab.
      * Under How to act? - make sure that Quarantine is selected.

When the scan has finished, follow the instructions below:
      * Make sure that Set all elements to: shows Quarantine
.................

Thanks IG. Ill follow the steps and rescan. Im also scanning the system with Super anti spyware now to confirm the results and see if the system is clean now. Im sorry to repeat the question, but is it safe to assume that there is no major risk now? Are the results obtained by AVG accurate? Should I not worry about a spybot worm anymore or should I keep looking? If I have to keep looking, what tools should I use? Thanks again.

Thanks a lot Dave. SUPERAntiSpyware has been scanning for 42 minutes and it has so far detected 22 items. The threat description there is ''Adware.Tracking Cookie''. Ill see what happens when it finishes and report back.

Thanks again.

Cookies, as I said before, are harmless. You can use either the Windows cleanup utilities or ATFCleaner and/or CCleaner to remove them also without having to run spyware tools.

Thank you. I will do that.