Malware problems

[Red Dragon]

You mean we should start charging? lol

[steff]

He means I occasionally PM him after forgetting to install drivers

[Dymond]

Quote:

Originally Posted by Red Dragon

You mean we should start charging? lol

LOL definitely!

[steff]

The problem is back lol...



Deleted them all and here is the log.

[Red Dragon]

Combofix

• Download Combofix to your desktop. Don't run it yet!
• Right click Avira in your system tray and uncheck enable system guard
• Right click Comodo and disable that as well
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

After it is complete and the log is open turn your firewall and real time protection back on

[steff]

Done. I had to split it in 2 due to the gay upload rules.

[Red Dragon]

Download and Install SDFix

• Download SDFix and save it to your Desktop.
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

[steff]

Should I go into "Steven" or "Administrator"? I'll do it later though... 5am... bedtime.

[Red Dragon]

Go under your normal account

[XXX]

We got it too,,,,,,


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aldd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SysUpd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F7813 A-AF74-4474-B1DC-7EE6FB6C43C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39D2FC9 B-041C-470E-AE72-F8C001247626}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC 7-AAFC-4362-B103-868B0683C697}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DD0BC0 6-4719-4BA3-BEBC-FBAE6A448152}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BF451A C-2010-4804-B256-DB2F0A8D9EB6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC83 6-DD9F-4A68-A602-5812EB50A834}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBF02D A-4360-4A7E-BEA1-347B87816327}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF7FCAF B-9FDB-4F5E-BAC6-68BDEE61D6C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC14822 8-87E1-4D00-AC06-58DCAA52A4D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBE0D59 D-F985-4AC6-8826- FEE957065D42}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AEFF96 5-B1A9-4675-966A-26C2E812AD51}
HKEY_CLASSES_ROOT\MSEvents.MSEvents
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\psapianalyzer.psapianalyzer.1
HKEY_CLASSES_ROOT\psapianalyzer.psapianalyzer
HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClas s.1
HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClas s
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1
HKEY_CLASSES_ROOT\iepl.iepl.1
HKEY_CLASSES_ROOT\iepl.iepl
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib
HKEY_CLASSES_ROOT\WTLHelper.WTLHelper
HKEY_CLASSES_ROOT\WTLHelper.WTLHelper.1
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater
HKEY_CLASSES_ROOT\ADOUsefulNet.ADOUsefulNet
HKEY_CLASSES_ROOT\ADOUsefulNet.ADOUsefulNet.1
HKEY_CLASSES_ROOT\InfoDocReader.InfoDocReader
HKEY_CLASSES_ROOT\InfoDocReader.InfoDocReader.1
HKEY_CLASSES_ROOT\ATLEvents.ATLEvents.1
HKEY_CLASSES_ROOT\ATLEvents.ATLEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\psapianalyzer. psapianalyzer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\psapianalyzer. psapianalyzer.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MFCOptimizeCla ss.MFCOptimizeClass
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MFCOptimizeCla ss.MFCOptimizeClass.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RawExecAction. RawExecAction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RawExecAction. RawExecAction.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iepl.iepl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iepl.iepl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATL Distrib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATL Distrib.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WTLHelper.WTLH elper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WTLHelper.WTLH elper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder. DosSpecFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder. DosSpecFolder.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPC Updater
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPC Updater.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.A DOUsefulNet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.A DOUsefulNet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InfoDocReader. InfoDocReader
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InfoDocReader. InfoDocReader.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLE vents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLE vents.1
Presence of the mutex 'SysUpdIsRunningMutex' .
Technical Information
Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.

Please see our detailed Win32/Vundo family analysis elsewhere in this encyclopedia for additional information.
Steps
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
To turn on the Windows Firewall in Windows Vista
Click Start, and click Control Panel.
Click Security.
Click Turn Windows Firewall on or off.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see Windows Vista Antivirus Software - Windows Live OneCare - Microsoft.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Recovery Steps
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (Windows Live OneCare). For more information, see Windows Vista Antivirus Software - Windows Live OneCare - Microsoft.


Search the Encyclopedia
Go



Latest Definition Updates
Windows Defender
Antispyware: v1.41.689.0
32 bit
64 bit
Information on updating Windows Defender
Microsoft Forefront Client Security
Antivirus: v1.41.689.0
Antispyware: v1.41.689.0
32 bit
64 bit
Information on updating Microsoft Forefront Client Security



Severity
High
Medium
Low


Glossary
View the Glossary