Inactive Google redirect - Trojan.Vundo .log/.txt attatched

[BeachJoshua]

I can't get rid of the Trojan.Vundo, which I believe is what's redirecting my google searches, the log files are attached.

Thanks!

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

 

[BeachJoshua]

Okay, I've changed over to my laptop and the combo fix window is just sitting not doing anything, and it says "combofix is preparing to run"

What do I do?

 

[Broni]

Stop Combofix.
Delete your Combofix file. Download fresh one, but rename combofix.exe to broni.com BEFORE saving it to the desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

• 
  * Double-click on the Rkill desktop icon to run the tool.
  * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  * If not, delete the file, then download and use the one provided in Link 2.
  * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  * Do not reboot until instructed.
  * If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run broni.com

 

[BeachJoshua]

Still doing the same thing, but I'm in safe mode, might that have anything to do with it? and I have to be in safe mode, or my comp INSTANTLY locks up.

 

[Broni]

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

 

[BeachJoshua]

Okay done.

 

[Broni]

Try to run rKill and broni.com from safe mode.

 

[BeachJoshua]

okay Broni, I've tried that 5 times now, it's not working...

 

[Broni]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[BeachJoshua]

Now this ones even better, it immediately says "OTL has stopped working windows is checking for a solution to the problem."

 

[Broni]

Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system (Non working computer) using the boot CD you just created.
  
  • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users is checked and press OK
• OTL should now start. Change the following settings
  • Change Drivers to All
  • Change Registry to All
  • Under Custom Scan box paste this in:
    
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

 

[BeachJoshua]

Okay done.
Feels good to make progress.

 

[Bobbye]

Broni, please be advised that this member has another open thread on what appears to be the same machine: It was started 6 days ago, my last reply was 4 days ago. The system belongs to his mother and he had a difficult time following my directions.

Google Redirect - Vundo - Avira and MWB can't remove I've looked all over for help

https://www.techspot.com/vb/topic147052.html

Specs on original thread:
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 18:52:06.18 on Wed 05/12/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1919.1118 [GMT -4:00]

I have ComboFix, ran TFC, Have that program that runs a dos window and supposed to end all malware programs [IDK what it's called because I renamed it already], also have Avira, and Malwarebytes.

Specs on this thread:
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 19:41:31.33 on Tue 05/18/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1919.1221 [GMT -4:00]

Some of the previous scans he did could well be affecting his system. He left the thread.

 

[Broni]

Do this on the computer you are posting from:
Copy the text in the codebox below:

:OTL
SRV - [2010/05/06 17:39:16 | 000,011,776 | ---- | M] () [Auto] -- C:\Windows\System32\mousenh32.exe -- (winbackupdumper-id1906Xv2Ej1zt)
SRV - [2010/05/06 17:39:16 | 000,009,728 | ---- | M] () [Auto] -- C:\Windows\System32\wirepots.exe -- (acrosysbackup_ex06Xv2Ej1zt)
O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (no name) - {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No CLSID value found.
O4 - HKLM..\Run: [Acronis Toolbar Helper]  File not found
O4 - HKLM..\Run: [vtuvstsys] C:\Windows\System32\bywuut.dll ()
O4 - HKU\.DEFAULT..\Run: [opmnnnsys] C:\Windows\System32\bywuut.dll ()
O4 - HKU\Administrator_ON_C..\Run: [ddbbyasys] C:\Windows\System32\bywuut.dll ()
O4 - HKU\Administrator_ON_C..\Run: [Desktop Cleanup Wizard]  File not found
O4 - HKU\Administrator_ON_C..\Run: [P2kAutostart]  File not found
O4 - HKU\Administrator_ON_C..\Run: [winjwws92] C:\Users\Administrator\AppData\Roaming\winjwws92\winjwws93.exe File not found
O4 - HKLM..\RunOnce: []  File not found
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\msdaipp - No CLSID value found
O30 - LSA: Authentication Packages - (bywuut.dll) - C:\Windows\System32\bywuut.dll ()
[2010/05/05 16:39:03 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\winjwws92
[2010/05/17 08:50:30 | 000,089,600 | -H-- | M] () -- C:\Windows\System32\opmlif.dll
[2010/05/06 17:39:16 | 000,037,888 | ---- | M] () -- C:\Windows\System32\wirepots.dll
[2010/05/06 17:39:16 | 000,037,888 | ---- | M] () -- C:\Windows\System32\syspol32.dll
[2010/05/06 17:39:16 | 000,037,888 | ---- | M] () -- C:\Windows\System32\b_syspol32.dll
[2010/05/06 08:44:23 | 000,096,256 | -H-- | M] () -- C:\Windows\System32\rqppqq.dll
[2010/04/05 20:32:22 | 000,000,080 | RHS- | C] () -- C:\Windows\System32\9129AF82DC.dll
[2009/11/02 21:06:03 | 000,000,128 | ---- | C] () -- C:\Windows\System32\_WDYSZYG.sys


:Services
winbackupdumper-id1906Xv2Ej1zt
acrosysbackup_ex06Xv2Ej1zt


:Reg

:Files
C:\Windows\System32\mousenh32.exe
C:\Windows\System32\wirepots.exe
C:\Windows\System32\bywuut.dll
C:\Users\Administrator\AppData\Roaming\winjwws92\winjwws93.exe


:Commands
[purity]
[emptytemp]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

• Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
  
  • (The content of Fix.txt should appear in the box)
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log produced (you'll need to transfer it with USB stick)
• Attempt to reboot normally into windows.

See, if you can run broni.com now.

 

[Broni]

Broni, please be advised that this member has another open thread on what appears to be the same machine

Crap...I hate things like that. Do you want me to finish this thread, or do you want to continue in yours?

 

[BeachJoshua]

I started a new one because I restored and redid the 8 step

after running fix and rebooting, reboot on disk, or on safe mode, or normally?

 

[Broni]

Reboot normally.

 

[Broni]

I started a new one because I restored and redid the 8 step

Then, it'd be nice of you to post back in your old thread and let Bobbye know.
We're nice to you, aren't we?

 

[BeachJoshua]

Indeed, you are very nice, you could have closed both my threads, and most likely banned me by now, and have me deal with the problems myself in which case I would reinstall windows, and go throught all sorts of stuff.

I appologize for not posting on the first thread.

and I went to Start > Shutdown > -dropdownbox- Restart > OK

I can move my mouse, but I can't click anything and the screens opacity has gone lighter. Should I hit the reset button on the front of the case, and remove the disk when possible?

 

[Broni]

Yes, you can remove disk at any time.
Instead of restart, try to shut down your computer, wait a minute and then start it again.

 

[BeachJoshua]

Okay, and when I boot, how exactly do I go about getting the file you need?

 

[Broni]

When the scan was done (while still booted from the CD), it should have produced a log:

# Let the program run unhindered, reboot the PC when it is done
# Post the log produced (you'll need to transfer it with USB stick)

 

[BeachJoshua]

It did not show a log, I looked for one, computer is now booted.

Window named RunDLL popped up and says "Error loading bywuut.dll The specified module could not be found."

 

[BeachJoshua]

Will combofix reboot my computer? It said something about cd emulations running and said it needs to disable them I hit okay, and it shut down.