Man do I hate this thing with too many popups and general malware. Got infected on Friday. Took some steps: 1) Turned off System Restore 2) Ran AVG and Ad-Aware multiple times --> Quarantine and Delete 3) Checked msconfig for suspicious startup found one called getmodule32 Anyways this new strand of Vundo won't die so easily and has evolved so I need your help. Here's my HijackThis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:31:37 PM, on 12/29/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam10\QuickCam10.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\MozyPro\mozyprostat.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\EmagineNET QuickCheck\QuickCheck.exe C:\Program Files\Western Union\Universal-Release\Translink.exe C:\Program Files\QuickPay\agent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MozyPro\mozyprobackup.exe C:\Documents and Settings\quick money\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080215 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080215 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;https://www.retailcheck.com;http://...http://www.csbec.com;http://support.dell.com; http://www.dell.com; https://www.westernunionreporting.c...ler.pocket.com;http://pocketdealer.pocket.com O2 - BHO: globaladsolution browser enhancer - {0DBFCAE6-C2A4-A1FB-4078-33DDDADFB21D} - C:\WINDOWS\system32\wnamgfjausttpg.dll O2 - BHO: (no name) - {3281a0f2-2e3e-4584-afff-640bce33a6e4} - C:\WINDOWS\system32\tefiyuvu.dll (file missing) O2 - BHO: (no name) - {48E44073-0334-4A1D-9717-6C38ECD98A92} - C:\WINDOWS\system32\vtUMeedA.dll O2 - BHO: (no name) - {53289A8F-0A59-49BC-AAEC-52911243238C} - C:\WINDOWS\system32\ddcyxwXq.dll (file missing) O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\jkkHXQHy.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack2.dll (file missing) O2 - BHO: globaladsolution - {88dca131-2699-c032-9083-281c2add1634} - C:\WINDOWS\system32\nszE1D.dll O2 - BHO: {d3b7c673-1fc6-246a-eb54-dcc636b556ee} - {ee655b63-6ccd-45be-a642-6cf1376c7b3d} - C:\WINDOWS\system32\qvcxyr.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [MFPMonitor] C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe O4 - HKLM\..\Run: [CardScanAgent] "C:\Program Files\CardScan\CardScan\CardScanAgent.exe" O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [mneofaprdjw] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\wnamgfjausttpg.dll" O4 - HKLM\..\Run: [b075b944] rundll32.exe "C:\WINDOWS\system32\lomahara.dll",b O4 - HKLM\..\Run: [ziriyevoho] Rundll32.exe "C:\WINDOWS\system32\vumehito.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\quick money\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [GetModule32] C:\Program Files\GetModule\GetModule32.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: MozyPro Status.lnk = C:\Program Files\MozyPro\mozyprostat.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: ,C:\WINDOWS\system32\gopafusa.dll qvcxyr.dll O20 - Winlogon Notify: jkkHXQHy - C:\WINDOWS\SYSTEM32\jkkHXQHy.dll O20 - Winlogon Notify: nnnlifDT - nnnlifDT.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: MozyPro Backup Service (mozyprobackup) - Unknown owner - C:\Program Files\MozyPro\mozyprobackup.exe O23 - Service: OracleMTSRecoveryService - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\omtsreco.exe (file missing) O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 10707 bytes
I think I had that a while back. I found a thread on some website with a real good step by step removal process involving all kinds of useful tools and apps, but I can't remember where it was. I have the tools and apps saved, but I can't find the thread. Anyways, here's the list of stuff I found in a PCsecurity folder I created sometime back: Vundofix.exe. smitfraudfix, superantispyware, ccleaner. Look for those things and you might find a forum where people can walk you step by step to solving your problem.
I ran that malware stuff and it did the trick. If you don't remove it properly Vundo will reappear renamed as another file.
These are the best instructions that I was able to find to help with this problem: http://forums.spybot.info/showthread.php?t=32835
My mother-in-law had it. It was very very VERY difficult to remove. I used malwarebytes and Spybot Search and Destroy to rmove most of it, but even they couldn't get rid of some protected registry entries and protected files. To remove the protected registry entries, I created and booted off of a BartPE boot disk, and was able to edit the registry. then, to remove the protected files, I removed their hard drive, added it as a secondary drive to my personal computer, removed the files, and replaced the hard drive in her machine. And, after all that, Vunto was gone and it passes all scans for malware, spyware, adware, and virii. But it's running very sluggish and slow. I'm going to have to wipe it and reinstall everything from scratch. So..... I feel your pain.
I was in support for a long time. And this is THE hardest virus to remove today. I would give step-by-step instructions, except there are no step-by-step instructions. You could write a book on the removal of Vundo and still not encompass all the methods that work for one variety/mutation and don't for others. This virus changes and moves around like you wouldn't believe, even moreso when you're trying to kill it. I never found one method that was a guaranteed fix other than formatting the hard drive. Seriously... back up whatever you really want to save and reformat. Best way to go at it. And I'm not at all a proponent of reformatting, normally.
I would recommend downloading and running SuperAntispyware, Malwarebytes, CCleaner in that order.They're all free and make sure you do a full scan for each and reboot after running each one.CCleaner will keep those pesky 'missing dll' prompts from popping up after removing a virus.
I have it and it still reappears, but just get malwarebytes and use the protection and auto updates/scans, and you shouldnt be getting any popups or any of that crap slowing down your computer.
At my job we have users that are getting it and when we use all three that I mentioned, it completely removes it.It beats having to reformat.
