TechSpot

Antispyware, combofix, and HJT logs for review

By wvlax21
Jul 31, 2007
  1. If someone could review these, that would be great. I have been receiving messages saying i had the lo1 vundo infected in my computer. I completed all the preliminary steps recommended to clean my computer. Any more help is greatly appreciated.
     
  2. wvlax21

    wvlax21 TS Rookie Topic Starter

    still getting different vundo virus messages...can anyone help me out?
     
  3. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I apologize for the wait.

    Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

    Should you decide to clean your system, then please do the following.

    I noticed that your AVG log displays 'No Action Taken' for all the files detected.
    I require you to run AVG again and quarantine the files. Pictorial instructions HERE.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.

    Boot into safe mode under your normal user name. See how HERE
    Next turn on "Show all files and folders, including hidden and system". See how HERE

    1. Please run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O2 - BHO: (no name) - {BF285875-5D0E-481E-B703-99ABBF7D6873} - C:\WINDOWS\system32\gebcb.dll (file missing)
      O4 - HKLM\..\RunServices: [cdpnpvvw] C:\WINDOWS\system32\cdpnpvvw.exe
      O4 - HKLM\..\RunServices: [olxhs] C:\WINDOWS\system32\olxhs.exe
      O4 - HKLM\..\RunServices: [ouhuznvdz] C:\WINDOWS\system32\ouhuznvdz.exe

      O4 - HKLM\..\RunServices: [tmcxqizpv] C:\WINDOWS\system32\tmcxqizpv.exe
      O4 - HKLM\..\RunServices: [cfsjnj] C:\WINDOWS\system32\cfsjnj.exe
      O4 - HKLM\..\RunServices: [rpjiqgl] C:\WINDOWS\system32\rpjiqgl.exe
      O4 - HKLM\..\RunServices: [ryff] C:\WINDOWS\system32\ryff.exe

      O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
      O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

      Close HJT.

    2. Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.

      [​IMG]

      This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    3. Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of wvlax21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     

    Attached Files:

  4. wvlax21

    wvlax21 TS Rookie Topic Starter

    sorry about screwing up the AGV log. I'll do the other recommended steps now. Thanks for your help.
     
  5. wvlax21

    wvlax21 TS Rookie Topic Starter

    alright i have attached the following:
    1) New AVG Anti-Spyware log
    2) New Combofix logs from both safe mode and normal mode
    3) New HJT log from normal mode
     
  6. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello and welcome to TechSpot.

    Step 1: Go into Add or Remove Programs in your Control Panel and uninstall anything having to do with Compaq Advisor or PartyPoker.

    Step 2: Follow momok's CFScript instructions above, only use the script attached to my post here. Attach the resultant log in your next reply.

    Step 3: Please navigate to www.virustotal.com.

    Click the Choose... button.

    Navigate to the following file:

    C:\Cpqs\Scom\srmclean.exe

    Click Open. Then click Send File.

    Wait until it's done scanning, then copy and paste the results into a Notepad file and save it on your computer.

    Attach the VirusTotal log file in your next reply, along with the log resulting from the CFScript, and a fresh HijackThis log.

    Regards :)

    This thread is for the use of wvlax21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  7. wvlax21

    wvlax21 TS Rookie Topic Starter

    i have attached my combofix log after dragging and dropping the CFScript as shown in Momok's instructions...i will now follow the rest of your steps...

    I have completed the rest of your steps and attached the Virustotal log along with a fresh HJT log
     
  8. wvlax21

    wvlax21 TS Rookie Topic Starter

    oh and i went through my add/remove programs list and didn't find anything that had to do with party poker
     
  9. wvlax21

    wvlax21 TS Rookie Topic Starter

    any more pointers?
     
  10. tomrca

    tomrca TS Rookie Posts: 1,000

    unnecessary entries and can be fixed O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    if you don't know these sites fix them O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - ]http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - [ttp://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab[/url]


    this should be fixed if it's nothing to do with your internet provder or pc maker
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir 2.dll?s=consumerfav&c=2c02&lc=0409

    if you are happy with your pc's performance, empty quarantine folders of recent use, do a defrag etc switch off system restore reboot, switch on SR and create new restore point
     
  11. wvlax21

    wvlax21 TS Rookie Topic Starter

    thanks for all your help
     
  12. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Thanks for your post Tom. I've been busy this weekend.

    wvlax21, did you uninstall Compaq Advisor? You need to do that as per my above post.

    Then go to Start > Run, and type in "cmd". Press Enter.

    When the black window appears, type in (or copy and paste) the following:

    net stop msCMTSrvc

    Press Enter. Once it's done with that, type in the following:

    sc config "msCMTSrvc" start= disabled

    Press Enter. Once it's finished, close the window.

    Then post a fresh HJT log.

    Regards :)

    This thread is for the use of wvlax21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  13. wvlax21

    wvlax21 TS Rookie Topic Starter

    kitty500cat,

    i did uninstall compaq advisor....will finish the rest of your instructions tomorrow
     
  14. wvlax21

    wvlax21 TS Rookie Topic Starter

    when i typed in the initial "net stop msCMTSrvc" i would recieve a message saying "the content monitoring tool is not started"

    here is a fresh HJT log...
     
  15. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Everything looks good now.

    Delete all files in AVG Anti-Spyware Quarantine folder (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine).

    Turn off system restore. See how HERE.
    This will remove all your system restore points, including any malware hiding in them.

    After that turn system restore back on.
    This will create a new, clean restore point for your system.

    Often, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article. This can help to prevent future infections.

    Should you have further virus/spyware problems, please post in this thread.

    Regards :)

    This thread is for the use of wvlax21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  16. wvlax21

    wvlax21 TS Rookie Topic Starter

    Thanks for being patient with me. I appreciate all your help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...