Help! Nothing can remove Vundo spyware

[Doc]

Hi,

My computer is infected with I believe a new version of
the Vundo. Although MS AntiSpyware detects it, it cannot
remove it. I've tried Norton, AdAware, Spybot
Search&Destroy, and a couple of other programs, but to no
avail.

I saught help from www.atribune.org, but the method
suggested didn't do the trick.

I would greatly appreciate any help regarding this.

Doc

 

[AndyManchesta]

Hey Doc

This is a beast I'll need to see a Hijack This log
first to find out what the Trojan files are called then
we can try some tools to remove them ,

Download Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save it to Desktop or C:drive, Extract and Run

Choose to run a system scan and save the logfile, when
its finished it will open the results in notepad, Can you
copy and paste them back either on here or to my email .

Thanks Andy

 

[Doc]

Hey Andy,

I already ran a HijackThis as well as trying to fix the
problem with vundokill (I did all this after trying and
failing with various other software, including MS
AntiSpyware). Later I scanned the system with ActiveScan
of Panda Software. Below are the logs from both
HijackThis and ActiveScan, as well as the vundofix.txt
file generated by vundokill.

I really appreciate the quick reply and the help.

Thanks,

Doc

HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 1:03:17 PM, on 24/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.gmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.gmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-
868B0683C697} - C:\WINDOWS\system32\geeba.dll (file
missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-
001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-
8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program
Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1
\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program
Files\ThinkVantage Fingerprint
Software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1
\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI
Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program
Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program
Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program
Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1
\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1
\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32
\taskswitch.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1
\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog
Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog
Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32
\TpScrLk.exe
O4 - HKLM\..\Run: [ISS_Certtool] C:\Program
Files\IBM\Security\certtool.exe
O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program
Files\IBM\Password Manager\pwmgr.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program
Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program
Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner]
C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Program
Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into
English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\IBM\Java142
\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-
A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-
4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-
449f-B9FB-E8409F9A0BC5} - C:\Program
Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/
en/x86/client/muweb_site.cab?1126636037203
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29}
(IASRunner Class) -
https://www.ibm.com/pc/support/access/aslibmain/content/Ac
pIR.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloa
der.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-
8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file
missing)
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32
\geeba.dll (file missing)
O20 - Winlogon Notify: psfus - C:\Program
Files\ThinkVantage Fingerprint Software\psfus.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32
\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32
\tphklock.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown
owner - C:\Program Files\IBM\IBM Rapid Restore
Ultra\rrpcsb.exe
O23 - Service: IBM User Verification Manager - IBM -
C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner -
C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and
above (ibmsmbus) - International Business Machines Corp. -
C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service
(navapsvc) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service
(NPFMntor) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) -
Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file
missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32
\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor
(S24EventMonitor) - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation -
C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) -
Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1
\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service
(SNDSrvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) -
IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown
owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) -
UPEK Inc. - C:\Program Files\Common Files\Virtual
Token\vtserver.exe


ACTIVESCAN LOG

Incident
Status
Location





Spyware:Spyware/Virtumonde No
disinfected C:\System Volume
Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}
\RP36
\A0004916.dll



Spyware:Spyware/Virtumonde No
disinfected C:\System Volume
Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}
\RP42
\A0005540.dll


VUNDOFIX.TXT

Command Line Process Viewer/Killer/Suspender for Windows
NT/2000/XP V2.03
Copyright(C) 2002-2003 (e-mail address removed)
Suspending PID 188 'smss.exe'
Threads [192][196][200]

Command Line Process Viewer/Killer/Suspender for Windows
NT/2000/XP V2.03
Copyright(C) 2002-2003 (e-mail address removed)
Killing PID 864 'explorer.exe'
Killing PID 864 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows
NT/2000/XP V2.03
Copyright(C) 2002-2003 (e-mail address removed)
Error, Cannot find a process with an image name of
rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows
NT/2000/XP V2.03
Copyright(C) 2002-2003 (e-mail address removed)
Killing PID 260 'winlogon.exe'
Killing PID 260 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

 

[AndyManchesta]

Hi Again Doc

Sorry I didnt realize you had replied , I just noticed
the email you sent

Lets leave VundoFix off the list as it looks like its
done its job and we just need to clean up

Copy this to notepad and save it as you will need to be
in safe mode for most of this,


Download Ewido & Ccleaner

Ewido

http://www.ewido.net/en/download/

When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
When it opens Click on update in the left menu, then
click the Start update button.
After the update finishes, exit from ewido as it should
be run in safemode.

Ccleaner

http://www.ccleaner.com/ccdownload.asp

Install and then exit


Reboot into safe mode (Reboot and keep tapping F8 then
choose safe mode from the list )


Open Ewido and click on the Scanner button in the left
menu, then click on complete system scan.
When ewido finds something, it will pop up a
notification.
Select "clean" and check the boxes "Perform action with
all infections" and "Create encrypted backup" before
clicking on ok.
When the scan finishes, click on "Save Report" and save
it to your desktop.


Run Hijack This, Choose to run a system scan and place a
check next to these entries :


O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-
868B0683C697} - C:\WINDOWS\system32\geeba.dll
(filemissing)

O20 - Winlogon Notify: geeba - C:\WINDOWS\system32
\geeba.dll (file missing)


Close All open Browser Windows except Hijack This and
press "Fix Checked"


Exit Hijack This


Run Ccleaner and press "Run cleaner" also use
the "Issues" Button and repair any problems


The Reboot back into Normal Mode



Clear System Restore, First Create a New Restore Point


Goto Start Menu > Run > And copy & paste this in


%SystemRoot%\System32\restore\rstrui.exe


Press Enter, Choose create a restore point and Next ,
Name it and press Create


Next clear the infected Restore Points

Goto Start Menu and Run and type


cleanmgr


Press Enter, Goto the "More Options" tab and press Clean
up on the System Restore area to remove all the restore
points except the one we just created


That should then be fixed but if you have any problems
post a new Hijack This log and the Ewido Scan Log

Regards

Andy

 

[Doc]

Hi Andy,

Problem resolved! At least nothing malicious found by
neither ewido security suite nor by ActiveScan.

I carried out the steps you had listed, with one
exception being the "Fix Checked" part in the Hijack This
bit. I had already carried out that procedure before I
had posted my initial message, when I ran the VundoKill
software I got through Atribune.com. Anyway, because I
had run it before, the entries you had mentioned did not
appear in the Hijack This list.

About the source of Vundo: I think I got it through the
DivX6.0 player/codec I downloaded through cnet -
download.com. The pop-ups relating to this problem
started appearing right after that.

Two further requests of info:
1. How do I prevent my computer from getting stuff like
this? How do I make sure that stuff I download can be
checked for such spyware before being installed? I
already have Norton and MS AntiSpyware running. What else
do I need?
2. Do you mind if I post your resolution to a couple of
places (of course I'll mention your name), since I've
seen quite a bit of people dealing with the same problem?

Anyway, thanks a lot. It's really great to be able to get
support like this.

Cheers,

Doc

 

[AndyManchesta]

Hey Doc

No Problem

Ive emailed you about the questions you asked and gave
links to some alernative programs to prevent re-infection

All the best

Andy