HELP!!! vundo/zlob/smitfraud trojan on my PC!

[googlistics]

Hello, I've tried similar solutinons but they all seem to fail. I've tried SmitfraudFix, VundoFix and others, but none of them seem to work for me.

I get popups and certain sites do not open (while they should).


Please help me exterminate this NASTY virus.

Here's my HJT log-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:07, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AvaFind\AvaFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
D:\sudasoft\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by (NSS)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.0.160:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://nlt-deploy;https://******;https://******;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Single Signon] C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ****
O17 - HKLM\Software\..\Telephony: DomainName = ****.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ****
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ****
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe

--
End of file - 7894 bytes

[MrLinus]

If it's a virus, do you do your virus scan in safe mode? If not, try that. Make sure you have up-to-date virus signatures. Also, you may want to try going to http://housecall.trendmicro.com in safe-mode with networking and let it scan your system. A quick glance at your hijack log and it looks ok.

[delstar]

The only thing that looks troubling is :
O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s

You should remove that entry from the registry ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run") and see what happens.

[t34b4g5]

C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Single Signon] C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

That's about all i can visually pick out, a few of them are reeaal nasty SOB's, and even harder to remove and keep 'em gone.

I would strongly suggest that you just back up any important files and do a format and re-install.

[delstar]

t34 : Except for the one I mentioned, those are all valid programs. Some Google research would help.

[SirDice]

t34 : Except for the one I mentioned, those are all valid programs. Some Google research would help.

I agree.

Those igfx* executables are for intel graphicscards. The hkcmd is the windows hotkey functionality. Msgsys is part of LANDesk.

[nihil]

I know this is posted in a variety of other threads but I feel that it is useful to add to any thread of this nature.

Googleing might seem like a rather daunting task. This tool will check your log and indicate what is generally considered "safe" and what needs looking into or just getting rid of (known baddies).

Beware. Some items might trip a warning because of where they are located. This can happen legitimately with a new release of the software, so check to see if you have an instance in the location they suggest as well.

http://www.hijackthis.de/

Googling or Googleing? don't know which you prefer but it seems like I have just invented a new word.

As a second string to your investigation might I recommend that you submit suspicious files here:

http://www.virustotal.com/



@ SirDice and delstar, do you mean this:

http://www.****inggoogleit.com/

It is OK for work: nothing rude on the site itself

[SirDice]

@ SirDice and delstar, do you mean this:

http://www.****inggoogleit.com/

To be honest the only one I didn't recognize was the Msgsys thingy.. And yes I googled it

[ShagDevil]

The only thing that looks troubling is :
O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s

I'm with Delstar on this one as well. Actually, I was fairly dizzied by the fact that you say you have a virus your machine but, outside of a single oddly named library called iinokuco, all seemed fine. So I googled iinokuco and, surprise, surprise, no luck (except the link to this very thread). Then I was reminded of a doozy my sister got on her machine.

It was called Virtumonde. The little s.o.b that keeps changing the .dll with random file names so you can never quite find the offending .dll being called by Rundll.exe. It seems to me you're infected with some kind of adware with polymorphing file naming capabilities. You might want to run a couple antispyware programs & see what they find/clean.

[alvarado14]

Try to use nod32 antivirus because is more easy to customize than mcafee and make a very good job. Also, search Avira Antivirus on Google - is very good and fast (i have it at work)