pmilllok
asked on
Have vundo virus and various other malware.
Followed your instruction in previous post and have logs for Combofix and hijack this. Rebooted after running both and pc seemed fine for about 5 min, then started behaving as it did prior to running removal tools. As stated in other post, must be files that need to be deleted, but from logs I cannot tell which ones they are. Can you please HELP?!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Vundofix is the tool that specially for vundo infection, but that CLSID seems new, so I would go for Combofix.
Use combofix and upload the log at EE-Stuff.com for us to look at.
Canned for combofix:
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Use combofix and upload the log at EE-Stuff.com for us to look at.
Canned for combofix:
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Ooops so you already have combofix log?
Can you upload it at EE-Stuff.com please, I just check there and there's no uploaded logs for this question.
Can you upload it at EE-Stuff.com please, I just check there and there's no uploaded logs for this question.
At the moment, the use of Combofix is not recommeded until further notice from its developer.
Do you still have the log from the last time you run it? can you paste it here then?
Based from the hiajckthis log, you need to remove this file --> C:\WINDOWS\SYSTEM32\mwepyk wy.dll
It's hooked with winlogon\notify key so its harder to remove specially in normal mode.
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Files to delete:
C:\WINDOWS\SYSTEM32\mwepyk wy.dll
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Winlogon \Notify\mw epykwy
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
You might also like to run this scanner, DrWebCureIt, Download and install DrWebCureIt, it's also free and works well.
http://www.freedrweb.com/
Do you still have the log from the last time you run it? can you paste it here then?
Based from the hiajckthis log, you need to remove this file --> C:\WINDOWS\SYSTEM32\mwepyk
It's hooked with winlogon\notify key so its harder to remove specially in normal mode.
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):
--------------------------
Files to delete:
C:\WINDOWS\SYSTEM32\mwepyk
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Wi
--------------------------
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
You might also like to run this scanner, DrWebCureIt, Download and install DrWebCureIt, it's also free and works well.
http://www.freedrweb.com/
I can offer a manual fix to the issue. unfortunately the vundofix rarely worked for my cases, since the dll files it was searching were never the same.
Step 1: go to the registry and search for the keys:
-a-HKLM\Software\Microsoft \Windows NT\Current Version\Winlogon\Notify – look for anything that shouldn’t be there (random character dll files)
-b-HKLM\System\ControlSet0 01\Control \LSA – the key: Authentication Packages should only have: msv1_0
-c-HKLM\System\ControlSet0 03\Control \LSA – the key: Authentication Packages should only have: msv1_0
OR go to Internet Options-->Programs tab and Manage Add-ons. Look for crazy looking dll files here; if you're unsure, just google them and see if anything legit pulls up.
Step2: load into a WinPE environment (BartPE - i won't go into detail here, just google it)
-delete the dll files you found in step 1
Step3: reboot, clean the registry up. Delete the entry for the dll in step1 -a-; edit the registry entries for both -b- & -c-.
-search the registry for the dlls once more and delete the corresponding add-on entry
-check Internet Options-->Programs tab-->Manage Addons to make sure the dll entries are gone
so far, this manual process has worked for me 3 straight infections (w/ diff clients :)
Step 1: go to the registry and search for the keys:
-a-HKLM\Software\Microsoft
-b-HKLM\System\ControlSet0
-c-HKLM\System\ControlSet0
OR go to Internet Options-->Programs tab and Manage Add-ons. Look for crazy looking dll files here; if you're unsure, just google them and see if anything legit pulls up.
Step2: load into a WinPE environment (BartPE - i won't go into detail here, just google it)
-delete the dll files you found in step 1
Step3: reboot, clean the registry up. Delete the entry for the dll in step1 -a-; edit the registry entries for both -b- & -c-.
-search the registry for the dlls once more and delete the corresponding add-on entry
-check Internet Options-->Programs tab-->Manage Addons to make sure the dll entries are gone
so far, this manual process has worked for me 3 straight infections (w/ diff clients :)
pmillok,
How's it going?
Combofix is okay to use again, the tool's been updated. After you delete the file with Avenger, you can run combofix and we'll see if there are other nasties still present.
How's it going?
Combofix is okay to use again, the tool's been updated. After you delete the file with Avenger, you can run combofix and we'll see if there are other nasties still present.
ASKER
Logfile of HijackThis v1.99.1
Scan saved at 5:53:07 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsyn
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Kaiser\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\Program Files\Spotmau WinCares 2007\FolderProtectService.
C:\Program Files\Spotmau WinCares 2007\FolderProtect.exe
C:\WINDOWS\system32\inetsr
C:\Program Files\Common Files\Network Associates\McShield\Mcshie
C:\WINDOWS\System32\snmp.e
C:\Program Files\Network Associates\VirusScan\VsSta
C:\Program Files\Network Associates\VirusScan\Vshwi
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\dllhos
C:\Program Files\Network Associates\VirusScan\Avcon
C:\Program Files\Network Associates\VirusScan\Websc
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchos
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ScanSoft\OmniPageSE4
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon
C:\PROGRA~1\Nero\NEROPH~1\
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HPQ\SHARED\HPQWMI.ex
C:\WINDOWS\system32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\virus\hijackthis\Hijack
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Invisible Secrets Toolbar Helper - {116ED3AC-491C-4527-9798-4
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-6
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: Invisible Secrets Toolbar - {7208F84C-CAE7-4817-B96A-6
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "c:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCu
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [f0c2c39c] rundll32.exe "C:\WINDOWS\system32\tvcov
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Kaiser VPN Client.lnk = C:\Program Files\Kaiser\VPN Client\ipsecdialer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-F
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-6
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-6
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {6414512B-B978-451D-A0D8-F
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E
O20 - Winlogon Notify: mwepykwy - C:\WINDOWS\SYSTEM32\mwepyk
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: wvurspo - wvurspo.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsyn
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Kaiser\VPN Client\cvpnd.exe
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCares 2007\FolderProtectService.
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.ex
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshie