[VUNDO] spyware that adds nasty JavaScript do webpages- how to fix it?

I am not sure what is it… I got a spyware that adds some nasty JavaScript code to html webpages in browsers… also on one site it switched the picture and put its own… I attached the pic.

also, here’s the logfile of Hijack this:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:54:15 AM, on 6/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\totalcmd\TOTALCMD.EXE
H:\Install\HiJackThis.exe
C:\Program Files\Opera\opera.exe

O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\geBqQKAq.dll
O2 - BHO: (no name) - {E6430F8C-9BB1-4C30-A80E-BB21ECD7061B} - C:\WINDOWS\system32\ssqPjjHa.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [SoundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [318a33ee] rundll32.exe “C:\WINDOWS\system32\bfcoxlyb.dll”,b
O4 - HKLM..\Run: [BM32b90072] Rundll32.exe “C:\WINDOWS\system32\jdsgjxgh.dll”,s
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [ISUSPM] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -scheduler
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: geBqQKAq - C:\WINDOWS\SYSTEM32\geBqQKAq.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 4662 bytes

so I guess I have Trojan:Win32/Vundo.gen!M and Trojan.Win32.Monder.vaaa

Please how do I get rid of these??? ???

1st, never follow that fake links. It won’t clean, on contrary, you’ll get infected.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.

A log will be produced which you can post in your next response.

C:\WINDOWS\system32\geBqQKAq.dll
C:\WINDOWS\system32\ssqPjjHa.dll
C:\WINDOWS\system32\bfcoxlyb.dll
C:\WINDOWS\system32\jdsgjxgh.dll

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis. This will allow avast! and other AV’s to add the detections.

If VundoFix doesn’t work, run HijackThis again and fix all the entries for the above files and reboot.

Hi Tech and zoki123

Some info on Vundofix. I don’t know if it applies here. They are attempting to correct this

Vundofix has some issues with Asian versions of the Windows Operating system. Use of vundofix may delete critical system files and Windows may not be able to boot after use.

Thanks for the info.

thanks all… but since Vundofix is not avaialable for download now, I had to reformat c drive and put winXP again… It’s a new computer anyways so…

I am using Avast and ZoneAlarm… Can somebody tell me or point me in the right direction about which other software I should be running in order to be protected from SPyware/malware etc… ?

Also, should I turn off “System restore” ?

Thanks in advance.

Vundo infections are usually the result of out-of-date and insecure software. The best thing I can recommend is:

https://psi.secunia.com/

zoki123:

"...I am using Avast and ZoneAlarm.... Can somebody tell me or point me in the right direction about which other software I should be running in order to be protected from SPyware/malware etc.... ? "
Avast! and ZoneAlarm is a good combo to protect yourself . Additional programms I would suggest and worth looking into would be , [url=http://www.javacoolsoftware.com/spywareblaster.html] Spyware Blaster [/url] , [url=http://www.mvps.org/winhelp2002/hosts.htm]MVPS HOSTS file [/url] , [url=http://www.superantispyware.com/] SUPERANTIspyware [/url] , and as you've just re-installed Win XP , go Windows update , and also update all your drivers and visit[url=https://psi.secunia.com/] https://psi.secunia.com/[/url] as FreewheelinFrank suggests . Common sense when browsing is always a great defence against " SPyware/malware etc " ;)

Hi, too bad about the reformat. The above suggestions are good. I would like to add a little if I may.

You should have a resident antispyware program and an on demand one.
Either of these will fit the bill for the resident

Winpatrol
http://www.winpatrol.com/

Windows Defender
http://www.microsoft.com/athome/security/spyware/software/default.mspx

For on demand

Superantispyware
http://www.superantispyware.com/

Malwarebytes’ Anti-Malware from
http://www.besttechie.net/tools/mbam-setup.exe

thanks for replies…

I Installed Winpatrol, SuperAntispyware and Secunia.

Should I run SuperAntispyware all the time?

Should I run Secunia all the time?

Hi zoki123 . From your previous post I gathered you had installed Avast! and Zone Alarm .

I am using Avast and ZoneAlarm....
Avast! is a Resident Anti Virus . ZoneAlarm is a Firewall . I hope this is the case as of this moment , that you have Avast! Home or Pro installed and running , all the time , as a resident (Active always) protection ; and ZoneAlaram Firewall .
I Installed Winpatrol, SuperAntispyware and Secunia.
Winpatrol will notify you if certain changes occur within your Computer . These may include changes to start up programs , Hosts File , File associations , etc. Winpatrol will alert you of system changes, not protect you from a virus . Read about what you have installed so you know how best to utilise the tools which are designed to help you . SuperAntispyware can be used as a Resident (Active always) AV , but if you have Avast! installed , and Active , you do NOT run SuperAntispyware ..."all the time?" as it will conflict with Avast! . You can use SuperAntispyware to Scan your computer on a regular basis though , after updating to its latest virus database .
Should I run Secunia all the time?
No , just each week or so to make sure the programs it detects are up to date . Some programs you will need to check manually for updates . I hope this clarifies things for you zoki123

Hi,

I implemented changes that you have recommended.

btw should I keep System restore on or off?

Once you confirm your system is clean then yes you should enable system restore again.