Vundo Spyware (HiJackThis Log)

[shakstang]

Belwo is the most recent HiJackThis Log. I removed the Vundo Virus/Spyware from my computer, but still receiving pop-ups in addition to a "Big Red X" mark for the C:\ Drive Icon. Any advise?

HIJACK THIS LOGLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:14 AM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B603396C-5E54-49D5-9546-0BD024E27CB6} - C:\WINDOWS\system32\tustr.dll (file missing)
O2 - BHO: (no name) - {F660BAE1-2EC8-4F97-A5E8-668A4381D877} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rome] "C:\WINDOWS\PPATCH~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Xtia] "C:\Program Files\Common Files\?ppPatch\r?gedit.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm486YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: gebayxx - C:\WINDOWS\
O20 - Winlogon Notify: htslbfbh - C:\WINDOWS\
O20 - Winlogon Notify: vtuturr - vtuturr.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3898 bytes

[Odie]

I'm no expert on this but I think you should take a look at the following:

O4 - HKCU\..\Run: [Rome] "C:\WINDOWS\PPATCH~1\wuauboot.exe" -vt ndrv

O4 - HKCU\..\Run: [Xtia] "C:\Program Files\Common Files\?ppPatch\r?gedit.exe"

O8 - Extra context menu item: &Search - ?p=ZUxdm486YYUS

It looks as if you have the ndrv trojan see this link
http://www.prevx.com/filenames/1962873024524698099-X1/NDRV.EXE.html

The windows wuauboot.exe file should not be in a temp directory and its particulars is
Wuauboot exe 114,688 06-08-00 5:00p Wuauboot.exe

The files r?gedit.exe will propably display as regedit.exe in explorer

I have read that this can be cleaned up with combofix and I'm sure Raymond will tell you how

[Raymond]

Use VudoFix to clean up Vundo infection.
http://www.atribune.org/ccount/click.php?id=4

[sclikzs]

i just recently started to study on how to remove virus using hijackthis log.. this is just my advice on what i can see so far

O2 - BHO: (no name) - {F660BAE1-2EC8-4F97-A5E8-668A4381D877} - (no file)

u also should delete this entries as its most possible to be a threat.

O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: gebayxx - C:\WINDOWS\
O20 - Winlogon Notify: htslbfbh - C:\WINDOWS\
O20 - Winlogon Notify: vtuturr - vtuturr.dll (file missing)

020 code is the AppInit_DLLs section. iv have read that most of legitimate software never use this things and they recommend that its mostly a spyware.. u might want to check those 020 checkbox and delete the entry..

[Raymond]

Great stuff. Glad that everyone is learning.

[shakstang]

Before using HiJackThis software, the Vundo software (ver. 6) was used. Unfortunately, Vundo did not resolve the error as you can see from the HiJackThis Log.

Next step is to try what sclikzs posted.

All,
Thanks for the great support on this matter. Most sites want you to purchase a spyware or antivirus and really don't offer much support. Raymond Blog simply ROCKS!!!

[Ceyfer √]

WOW thats Cool ! Keep it up ( Spyware Killer )

[Raymond]

shakstang, that link I gave you is the latest vundofix version 7. It fixes newer vundo variants.

[sclikzs]

glad could help : )

[yao90]

is all the files like O2 - BHO: (no name) - {F660BAE1-2EC8-4F97-A5E8-668A4381D877} - (no file) may possibly a threat? i mean all the no name and no file?