Please Help: Trojan.Vundo, Tidserv!inf, and other infection

My system was hit by an infection while I was traveling that started producing frequent browser pop-ups. I did a virus scan that found nothing consequential, but when I restarted I got BSOD after login. I got past that by using using safe-mode to disable services until it booted fully. From the system performance and pop-ups it was clear the system was compromised even though my old antivirus found nothing. Also, I could not connect to websites related to antivirus, malware, etc.; they were redirected to localhost. I could not update my antivirus for the same reason.

I used the Norton Internet Security 2009 Recovery Tool (boot cd) to start the clean-up process; it removed several threats and fixed the redirect problem, but reported one unfixable file (infected with Backdoor.Tidserv!inf). I installed Norton 2009 in windows, and it declared the system clean because it was being prevented from scanning the folder that had the threat. Before proceeding, I re-enabled the services I had shut down except the one that seems to be causing the BSOD.

I then ran through the 8-steps, repeating the MBAB and SAS steps with reboots between and got clean reports.

I'd greatly appreciate if you can look over the logs and let me know what (if any) action I should take or if the system appears clean. Thank you.

Any thoughts on the log results?

Great job. The infections have been handled. I see no indication that system restore points were infected.

Discrepancy - MBAM tool problem is likely cause
Use Windows Explorer to verify file was deleted.

Code:

HJT >>O20 - AppInit_DLLs: .......[B]gwappz.dll[/B]
MBAM >> C:\WINDOWS\system32\[B]gwappz.dll [/B](Trojan.Vundo.H) -> Quarantined and deleted successfully.

Minor cleanup - missing file referenced.
HJT scan. Tick & Fix. Restart computer.
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) >> broken (norton confidential)

Purpose of quote - if the details have not escaped your recall, please edit the description to indicate the method of redirection, such as, if the 'host' file was altered or if firewall security policies were inserted. About 25% of the current cases have this complaint. I am troubled if MBAM and/or SAS is not sensitive to this exploit.

Thanks, rf6647.

I didn't learn the method of the redirection - I did check the host file and it had no entries, but I didn't think to check the firewall security policies, so I can't say if that was how. I didn't have MBAB or SAS on my system at that time, and because of the redirects I was having trouble getting security info. One thing I did find, though, is that the Google cache pages were reachable, which helped until I had access to a clean system to do my research. If there's anything else I can tell you that may help others with similar problems, let me know.

I have fixed the

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) >> broken (norton confidential)

entry with HJT. Didn't work until I ran it in Safe Mode, but that got it.

I confirmed the removal of

C:\WINDOWS\system32\gwappz.dll

and it does appear to be gone. It may be interesting to note that when the system was infected and I was still trying to use Norton, I looked for one of the infected files in c:\windows\system32 using Explorer but it did not show, even though Norton had found it from the Recovery CD.

One question -- should I have HJT fix the entry

HJT >>O20 - AppInit_DLLs: .......gwappz.dll

or should I leave it alone?

Thanks again for the help and any more advice you have. This board has been a huge help.

HJT is not selective. The entry appears as

Code:

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [B]gwappz.dll[/B]

Use 'regedit' to delete this value. If I was savvy about the registry I could put you right on the correct key. It is a matter of a week or so before MBAM puts finishing touches to clean up this reference.

The concept of accessing 'cache' for web pages - is there a 'how to' for this. I've seen the results, but I guess I have not grasped the mechanics. I assume this uses the web copy and not the browser copy (history).

I just meant Google's cached version of the webpages returned by a search. The word "Cached" follows the URL and size for each result google returns. That cached copy is not hosted by the original site, so whatever mechanism the malware used to block specific sited didn't stop me from viewing the cached copies to help diagnose my problem.