vundo and others

[rjh4th]

got infected by vundo,infostealer_ldpinch, and trojan_nebuler. I did my best to remove, just want an expert to take a look. Below is my hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 7:48:39 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rudy\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179792402572
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

[rjh4th]

I also ran vundo fix and combo fix logs below. Also posted a fresh hijackthis log


VundoFix V6.5.4

Checking Java version...

Scan started at 8:03:33 PM 6/29/2007

Listing files found while scanning....

C:\windows\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.ini
C:\windows\system32\jkkiijj.dll
C:\WINDOWS\system32\jkkjh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hjkkj.bak1
C:\windows\system32\hjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini Has been deleted!

Attempting to delete C:\windows\system32\jkkiijj.dll
C:\windows\system32\jkkiijj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\jkkjh.dll Has been deleted!

Performing Repairs to the registry.
Done!


ComboFix 07-06-18.2 - C:\Documents and Settings\Rudy\Desktop\ComboFix.exe
"Rudy" - 2007-06-29 20:11:44 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\avp.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\system32\msxml3a.dll


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-29 20:11 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 20:03 <DIR> d-------- C:\VundoFix Backups
2007-06-29 19:00 <DIR> d-------- C:\WINDOWS\pss
2007-06-29 18:53 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\zmbwhsnk.exe
2007-06-29 18:52 11,776 --a------ C:\WINDOWS\mgrs.exe
2007-06-27 18:21 22,136 --a------ C:\WINDOWS\system32\drivers\CSVirtA.sys
2007-06-20 20:17 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-06-20 20:15 <DIR> d-------- C:\Program Files\Human Head Studios
2007-06-20 20:00 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-20 19:53 <DIR> d-------- C:\Program Files\Eidos
2007-06-19 19:36 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-06-19 19:36 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-06-19 19:36 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-06-19 19:35 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-19 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-06-19 19:35 <DIR> d-------- C:\Program Files\Microsoft Works
2007-06-11 17:27 <DIR> d-------- C:\Program Files\QuickTime
2007-06-10 09:25 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-09 18:47 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-09 14:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-09 14:53 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-09 14:53 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-06-09 14:53 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-06-09 14:53 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-06-09 14:53 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-06-09 14:53 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-06-09 14:53 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-06-09 14:53 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-06-09 14:53 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-09 14:53 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-06-09 14:53 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-09 14:53 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-09 14:53 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-09 14:53 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-09 14:53 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-06-09 14:53 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-09 14:53 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-06-09 14:53 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-09 11:42 <DIR> d-------- C:\DOCUME~1\Rudy\APPLIC~1\vlc
2007-06-06 19:24 <DIR> d-------- C:\divx
2007-06-06 19:03 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-06-06 19:03 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-06 19:03 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-06-06 19:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-06-06 19:03 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-06 19:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-06-06 19:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-06 19:03 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-06-06 19:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-06-06 19:03 <DIR> d-------- C:\Program Files\AVSMedia
2007-06-06 18:58 <DIR> d-------- C:\Program Files\Handbrake
2007-06-06 18:55 <DIR> d-------- C:\Program Files\Boilsoft MP4 Converter
2007-06-06 18:51 <DIR> d-------- C:\Program Files\Boilsoft MOV Converter
2007-06-03 20:52 <DIR> d-------- C:\Program Files\Smart Projects
2007-06-01 19:22 <DIR> d--hs---- C:\WINDOWS\CSC
2007-05-31 21:24 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-31 21:16 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-31 17:34 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter
2007-05-30 18:49 <DIR> d-------- C:\DOCUME~1\Rudy\APPLIC~1\SlySoft
2007-05-30 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-05-30 18:19 <DIR> d-------- C:\DOCUME~1\Rudy\APPLIC~1\WinRAR
2007-05-30 18:08 <DIR> d-------- C:\Program Files\DVD Shrink
2007-05-30 18:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-05-30 17:40 <DIR> d-------- C:\Program Files\SlySoft


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 01:09:11 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-29 02:31:22 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\uTorrent
2007-06-21 00:53:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-01 02:27:51 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-28 21:56:16 36,944 ----a-w C:\WINDOWS\system32\stcevent.dll
2007-05-28 21:56:16 -------- d-----w C:\Program Files\Cisco Systems
2007-05-26 16:50:03 -------- d-----w C:\Program Files\Alcohol Soft
2007-05-26 16:45:21 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-25 12:22:52 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\DivX
2007-05-24 02:29:28 -------- d-----w C:\Program Files\DivX
2007-05-24 01:19:47 -------- d-----w C:\Program Files\uTorrent
2007-05-23 23:20:08 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-05-23 23:20:08 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-05-23 23:18:06 -------- d-----w C:\Program Files\Futuremark
2007-05-23 23:15:31 -------- d-----w C:\Program Files\Realtek
2007-05-23 03:42:48 -------- d-----w C:\Program Files\BitLord
2007-05-23 03:23:21 -------- d-----w C:\Program Files\Common Files\EasyInfo
2007-05-23 01:35:23 -------- d-----w C:\Program Files\CCleaner
2007-05-23 00:27:25 -------- d-----w C:\Program Files\BitTorrent
2007-05-22 11:56:16 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-22 11:56:07 -------- d-----w C:\Program Files\Symantec
2007-05-22 02:19:53 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\BitTorrent
2007-05-22 01:22:46 -------- d-----w C:\Program Files\ASUS
2007-05-22 01:22:19 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-22 00:40:44 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-22 00:28:21 -------- d-----w C:\Program Files\MSBuild
2007-05-22 00:27:22 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\MSN6
2007-05-22 00:26:10 -------- d-----w C:\Program Files\Reference Assemblies
2007-05-22 00:23:07 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\Google
2007-05-22 00:22:59 -------- d-----w C:\Program Files\Google
2007-05-22 00:17:25 -------- d-----w C:\Program Files\Messenger
2007-05-21 18:57:02 96,328 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-05-20 05:27:25 -------- d-----w C:\Program Files\EA Games
2007-05-19 20:08:25 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-05-19 18:05:04 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-19 18:04:32 978 ----a-w C:\WINDOWS\eReg.dat
2007-05-19 17:44:17 -------- d-----w C:\Program Files\NVIDIA Corporation
2007-05-19 17:25:22 -------- d-----w C:\Program Files\Movie Maker
2007-05-19 17:24:37 -------- d-----w C:\Program Files\Windows NT
2007-05-19 16:33:37 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-19 16:33:26 0 --sha-r C:\MSDOS.SYS
2007-05-19 16:33:26 0 --sha-r C:\IO.SYS
2007-05-19 16:33:26 0 ----a-w C:\CONFIG.SYS
2007-05-19 16:33:26 0 ----a-w C:\AUTOEXEC.BAT
2007-05-19 16:32:02 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-05-19 16:31:37 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-19 16:31:34 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-19 16:31:34 -------- d-----w C:\Program Files\Online Services
2007-05-19 16:31:27 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-19 12:28:24 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-19 12:28:22 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:24 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-20 11:05:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-20 11:05:00 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-20 11:05:00 8,429,568 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-20 11:05:00 745,472 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-20 11:05:00 6,668,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-20 11:05:00 6,217,728 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-20 11:05:00 5,434,880 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-20 11:05:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-20 11:05:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-20 11:05:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-20 11:05:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-20 11:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-20 11:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-20 11:05:00 344,064 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-20 11:05:00 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-20 11:05:00 3,538,944 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-20 11:05:00 3,289,088 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-20 11:05:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-20 11:05:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-20 11:05:00 2,273,280 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-04-20 11:05:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-20 11:05:00 163,908 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-20 11:05:00 143,360 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-20 11:05:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-20 11:05:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-20 11:05:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0A7B64F5-10D9-4959-B688-17D014410B99}=C:\WINDOWS\system32\jkkjh.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-21 19:22]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-05-21 19:22]
{FB40D31A-B1F8-47EA-BC54-D27DDB475978}=C:\WINDOWS\system32\jkkiijj.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-17 02:04 C:\WINDOWS\SkyTel.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 C:\WINDOWS\system32\ico.exe]
"nwiz"="nwiz.exe" [2007-04-20 06:05 C:\WINDOWS\system32\nwiz.exe]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-14 01:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-12 02:36 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 02:43 C:\WINDOWS\Alcmtr.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-11 17:27]
"smgr"="mgrs.exe" [2007-06-29 18:52 C:\WINDOWS\mgrs.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 19:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FB40D31A-B1F8-47EA-BC54-D27DDB475978}"="C:\WINDOWS\system32\jkkiijj.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemv32]
winemv32.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1d731eb-05f8-11dc-93ca-806d6172696f}]
AutoRun\command- D:\.\Bin\ASSETUP.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 20:13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 20:14:52
C:\ComboFix-quarantined-files.txt ... 2007-06-29 20:14

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:28:42 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Rudy\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A7B64F5-10D9-4959-B688-17D014410B99} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {FB40D31A-B1F8-47EA-BC54-D27DDB475978} - C:\WINDOWS\system32\jkkiijj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179792402572
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winemv32 - winemv32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

[rjh4th]

here's my SAS log also.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/29/2007 at 09:34 PM

Application Version : 3.9.1008

Core Rules Database Version : 3263
Trace Rules Database Version: 1274

Scan type : Complete Scan
Total Scan Time : 00:51:17

Memory items scanned : 383
Memory threats detected : 1
Registry items scanned : 5506
Registry threats detected : 33
File items scanned : 54125
File threats detected : 9

Trojan.Downloader-MGRS
C:\WINDOWS\MGRS.EXE
C:\WINDOWS\MGRS.EXE
[smgr] C:\WINDOWS\MGRS.EXE
C:\WINDOWS\Prefetch\MGRS.EXE-34C3510A.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}
HKCR\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}
HKCR\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}\InprocServer32
HKCR\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A7B64F5-10D9-4959-B688-17D014410B99}

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Rudy\Cookies\[email protected][1].txt
C:\Documents and Settings\Rudy\Cookies\[email protected][2].txt
C:\Documents and Settings\Rudy\Cookies\[email protected][1].txt
C:\Documents and Settings\Rudy\Cookies\[email protected][2].txt

Trojan.Downloader-Gen/AVP
C:\QOOBOX\QUARANTINE\C\WINDOWS\AVP.EXE.VIR