8 Steps Removal Done--Possible Vundo?

[hyjinx]

Hi,

I'm actually new to these sorts of message boards but I need help. For the last 3 days I've gotten alerts from Windows Defender that I've had Vundo, also alerts for it from AVG before I switched to Avira, I've removed it each time but it keeps returning. I've done the 8 steps and Vundo wasn't mentioned but I still think it's there. I saw somewhere that it could hide in the restore files. Could someone have a look at my logs please and tell me if it's gone? I've never read them before and don't know what to look for.

 

[rev_olie]

Hi Hyjinx

Just to let you know i will take a look at your logs tomorrow just so you are not left in the dark as to what is happening.

However before i look at them can you:

Right click you Hijackthis icon and go to properties

Then rename the Hijackthis icon to analyse this or something similar.

Then re scan and post the new log. This is because some programs can hide from Hijackthis and make things difficult.

Thanks

 

[hyjinx]

Just rename it in General Tab? Not the Path name or Startup file?

If so, I did that. Here's the log...

 

[BlkHeartWolf]

HyJinx

I can see by your log files this may be a company computer or one you use to connect to a company?
NOVELL network, Lotus Notes, Corporate Domain ?
Please let me know your type of connection is it VPN or SSL
just want to keep you safe and not have things broken...

This the one i want to know about O1 - Hosts: 172.17.226.89 HC1

General cleanup is needed and will hurt anything
Right Click on MyComputer icon and go to properties
Turn Off system restore
open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
do a disk cleanup in your Start/accessories/system tools/ Menu


download malwarebytes and install

BEFORE YOU DO THIS remember the connection O1 - Hosts: 172.17.226.89 HC1

run hijackthis and malwarebytes at the same time
select any files and or keys in the attachment I posted in hijackthis but on both maiwarebytes and hijackthis click fix at the same time.
then reboot immediatly.
if you forget to turn off system restore it will return no matter
You have the google redirecter also O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
MAKE sure you check all in Hijackthis
reboot once complete, run hijack this and post your log here again


C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\dpmw32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 172.17.226.89 HC1
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O20 - AppInit_DLLs: girruy.dll

O20 - Winlogon Notify: geBuRIAT - geBuRIAT.dll (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

 

[hyjinx]

It's a computer that I got from a relative, sort of borrowing it for the present, so yes it does have network stuff on it but it isn't attached to any network now.

I installed and ran malwarebytes as part of the 8 steps and post the log in my initial post. The result of that scan was clean but I'm running it again and will post the log when it's finished.

I did notice
O20 - AppInit_DLLs: girruy.dll in your list of items to check. This was the name of the most recent Vundo Alert from CA eTrust.

Edit: I'm I supposed to Fix only the files you listed, BlkHeart, or all of the files HijackThis shows?

 

[BlkHeartWolf]

JUST the ones in me thread or post

 

[hyjinx]

The malwarebytes scan came up clean for the second time. I checked and fixed all the ones you listed except this one:

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

HJT said it couldn't fix it and said I needed something called LSPFix(?)

 

[BlkHeartWolf]

lets see checking file

 

[BlkHeartWolf]

LOOKING GOOD

remember to turn on SYSTEM RESTORE

 

[hyjinx]

Does that mean we're done? It's gone?

 

[BlkHeartWolf]

LSP FIX if you find it is really needed

 

[BlkHeartWolf]

Add me as a friend and i will be sending some IE setting's soon to help avoid this stuff

good job

 

[hyjinx]

Thank you so very, very much. You have no idea how much I appreciate your help. This has been driving me insane for days.

I'm primarily a Firefox user (I cleared files and cookies there as well) but any help would be great.

 

[BlkHeartWolf]

Add me as a friend and i will be sending some IE setting's soon to help avoid this stuff

No Browser is safe from it and the SYSTEM use's IE setting's take care