Vundo, 100+ other spyware, 4-5 viruses aftermath

[moosing]

Hi,

I finally got my Windows XP Pro machine running again. I ran Panda Antivirus/antispy, AVG antivirus, Spybot SD, Adware 2007, Spyware Doctor & VundoFix.

I got back my taskbar and desktop. And explorer (dir/files...) is working.

Please check this HiJackThis log and startup logger to see if I have any hidden Trojans, viruses, or such.

I am noticing a problem with DEP as follows:

Every time I switch on my computer I get an annoying "Data Execution Prevention" message which says:
"To help protect your computer, Windows has closed this program.
Name: Generic Host Process for Win32 Service
Publisher: Microsoft Corporation"

Sometimes not all my startup programs actually start up.

Thanks.

View attachment 19296

View attachment 19297

Some other symptoms I noticed are slow startup (>5 minutes), and very slow shutdown (> 5 minutes).

Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.

I still think there is something on the machine but I don't know what.

6/22/2007 - The only reason I used the 'outdated' HJT program is because it said v2 was beta. I will work on this over the weekend.

 

[momok]

Hi,

You are running an outdated version of HijackThis.
You can obtain the latest version from the link in my signature.

Also, you have not renamed the executable file to Analyze.exe. Please do so before you scan with HijackThis.

Then have hijackThis fix these entries:
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\iifcbby.dll (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: X* - X* (file missing)

Navigate to C:\WINDOWS\SYSTEM32\avldr.dll and delete the file. (Make sure you are able to view hidden files and folders)

Then please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of moosing only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[moosing]

Confused

Navigate to C:\WINDOWS\SYSTEM32\avldr.dll and delete the file. (Make sure you are able to view hidden files and folders)

This is for Panda Antivirus/firewall. Should I uninstall Panda?

 

[momok]

Hi,

Please do not delete that file.

I'm terribly terribly sorry about that mistake. I was copying and pasting from the logfile and was sleepy and missed that line. Thus I thought it was part of the infection. Please do not fix that line in HijackThis too.

Do go ahead with the rest of the instructions and post the required logs thereafter.


Regards,
Your friendly momok =)

This thread is for the use of moosing only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[moosing]

SmitFraudFix

Okay I downloaded the SmitfraudFix and it generated a log. I'm not sure but after looking at the log, it looks like everything is okay. Do I need to clean?

 

[momok]

Hi,

Please complete the given instructions in the thread. SmitFraudFix only fixes certain malware (smitfraud infection of course) and only certain variants of it. It will not clean out your system thoroughly. To ensure that, I would need to see a fresh copy of your HijackThis log, ComboFix log, AVG antispyware log as well as the results of the AVG Anti-rootkit scan.

Please follow the instructions in that thread to the letter. Only post the 3 logs I mentioned and the anti-rootkit scan results.


Regards,
Your friendly momok =)

This thread is for the use of moosing only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[moosing]

Logs

AVG Anti-Rootkit did not find any rootkits.

Thanks.

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Please run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O4 - Startup: Logitech Harmony Remote Software 7.lnk.lnk = ?

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_01) -

O20 - Winlogon Notify: X  - C:\WINDOWS\

Close HJT.

Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of moosing only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[moosing]

Question: Will removing entry 04 & 016 disable my Harmony Remote sync software or my Java Development Kit?

 

[momok]

Hi,

It won't. When O4 entries display a "...lnk = ?" it usually means a missing file/shortcut pointing to an invalid point in your system etc. Fixing the entry is upto your choice; I was just removing an unnecessary thing for you to load on start up.
Normally, O16 entries should not show up that way. They would at least point to the site where it was downloaded from, or the filepath on your system where it is installed from. Thus this makes this entry very fishy, which was why I decided to fix it. You can never be too sure when it comes to malware infections.


Regards,
Your friendly momok =)

This thread is for the use of moosing only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.