vundo and others

rjh4th · Jun 29, 2007

got infected by vundo,infostealer_ldpinch, and trojan_nebuler. I did my best to remove, just want an expert to take a look. Below is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:48:39 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rudy\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179792402572
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

rjh4th · Jun 29, 2007

I also ran vundo fix and combo fix logs below. Also posted a fresh hijackthis log

VundoFix V6.5.4

Checking Java version...

Scan started at 8:03:33 PM 6/29/2007

Listing files found while scanning....

C:\windows\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.ini
C:\windows\system32\jkkiijj.dll
C:\WINDOWS\system32\jkkjh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hjkkj.bak1
C:\windows\system32\hjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini Has been deleted!

Attempting to delete C:\windows\system32\jkkiijj.dll
C:\windows\system32\jkkiijj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\jkkjh.dll Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix 07-06-18.2 - C:\Documents and Settings\Rudy\Desktop\ComboFix.exe
"Rudy" - 2007-06-29 20:11:44 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\avp.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\system32\msxml3a.dll

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))

2007-06-29 20:11 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 20:03 <DIR> d-------- C:\VundoFix Backups
2007-06-29 19:00 <DIR> d-------- C:\WINDOWS\pss
2007-06-29 18:53 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\zmbwhsnk.exe
2007-06-29 18:52 11,776 --a------ C:\WINDOWS\mgrs.exe
2007-06-27 18:21 22,136 --a------ C:\WINDOWS\system32\drivers\CSVirtA.sys
2007-06-20 20:17 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-06-20 20:15 <DIR> d-------- C:\Program Files\Human Head Studios
2007-06-20 20:00 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-20 19:53 <DIR> d-------- C:\Program Files\Eidos
2007-06-19 19:36 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-06-19 19:36 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-06-19 19:36 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-06-19 19:35 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-19 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-06-19 19:35 <DIR> d-------- C:\Program Files\Microsoft Works
2007-06-11 17:27 <DIR> d-------- C:\Program Files\QuickTime
2007-06-10 09:25 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-09 18:47 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-09 14:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-09 14:53 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-09 14:53 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-06-09 14:53 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-06-09 14:53 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-06-09 14:53 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-06-09 14:53 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-06-09 14:53 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-06-09 14:53 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-06-09 14:53 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-09 14:53 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-06-09 14:53 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-09 14:53 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-09 14:53 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-09 14:53 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-09 14:53 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-06-09 14:53 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-09 14:53 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-06-09 14:53 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-09 11:42 <DIR> d-------- C:\DOCUME~1\Rudy\APPLIC~1\vlc
2007-06-06 19:24 <DIR> d-------- C:\divx
2007-06-06 19:03 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-06-06 19:03 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-06 19:03 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-06-06 19:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-06-06 19:03 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-06 19:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-06-06 19:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-06 19:03 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-06-06 19:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-06-06 19:03 <DIR> d-------- C:\Program Files\AVSMedia
2007-06-06 18:58 <DIR> d-------- C:\Program Files\Handbrake
2007-06-06 18:55 <DIR> d-------- C:\Program Files\Boilsoft MP4 Converter
2007-06-06 18:51 <DIR> d-------- C:\Program Files\Boilsoft MOV Converter
2007-06-03 20:52 <DIR> d-------- C:\Program Files\Smart Projects
2007-06-01 19:22 <DIR> d--hs---- C:\WINDOWS\CSC
2007-05-31 21:24 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-31 21:16 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-31 17:34 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter
2007-05-30 18:49 <DIR> d-------- C:\DOCUME~1\Rudy\APPLIC~1\SlySoft
2007-05-30 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-05-30 18:19 <DIR> d-------- C:\DOCUME~1\Rudy\APPLIC~1\WinRAR
2007-05-30 18:08 <DIR> d-------- C:\Program Files\DVD Shrink
2007-05-30 18:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-05-30 17:40 <DIR> d-------- C:\Program Files\SlySoft

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 01:09:11 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-29 02:31:22 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\uTorrent
2007-06-21 00:53:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-01 02:27:51 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-28 21:56:16 36,944 ----a-w C:\WINDOWS\system32\stcevent.dll
2007-05-28 21:56:16 -------- d-----w C:\Program Files\Cisco Systems
2007-05-26 16:50:03 -------- d-----w C:\Program Files\Alcohol Soft
2007-05-26 16:45:21 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-25 12:22:52 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\DivX
2007-05-24 02:29:28 -------- d-----w C:\Program Files\DivX
2007-05-24 01:19:47 -------- d-----w C:\Program Files\uTorrent
2007-05-23 23:20:08 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-05-23 23:20:08 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-05-23 23:18:06 -------- d-----w C:\Program Files\Futuremark
2007-05-23 23:15:31 -------- d-----w C:\Program Files\Realtek
2007-05-23 03:42:48 -------- d-----w C:\Program Files\BitLord
2007-05-23 03:23:21 -------- d-----w C:\Program Files\Common Files\EasyInfo
2007-05-23 01:35:23 -------- d-----w C:\Program Files\CCleaner
2007-05-23 00:27:25 -------- d-----w C:\Program Files\BitTorrent
2007-05-22 11:56:16 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-22 11:56:07 -------- d-----w C:\Program Files\Symantec
2007-05-22 02:19:53 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\BitTorrent
2007-05-22 01:22:46 -------- d-----w C:\Program Files\ASUS
2007-05-22 01:22:19 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-22 00:40:44 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-22 00:28:21 -------- d-----w C:\Program Files\MSBuild
2007-05-22 00:27:22 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\MSN6
2007-05-22 00:26:10 -------- d-----w C:\Program Files\Reference Assemblies
2007-05-22 00:23:07 -------- d-----w C:\DOCUME~1\Rudy\APPLIC~1\Google
2007-05-22 00:22:59 -------- d-----w C:\Program Files\Google
2007-05-22 00:17:25 -------- d-----w C:\Program Files\Messenger
2007-05-21 18:57:02 96,328 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-05-20 05:27:25 -------- d-----w C:\Program Files\EA Games
2007-05-19 20:08:25 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-05-19 18:05:04 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-19 18:04:32 978 ----a-w C:\WINDOWS\eReg.dat
2007-05-19 17:44:17 -------- d-----w C:\Program Files\NVIDIA Corporation
2007-05-19 17:25:22 -------- d-----w C:\Program Files\Movie Maker
2007-05-19 17:24:37 -------- d-----w C:\Program Files\Windows NT
2007-05-19 16:33:37 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-19 16:33:26 0 --sha-r C:\MSDOS.SYS
2007-05-19 16:33:26 0 --sha-r C:\IO.SYS
2007-05-19 16:33:26 0 ----a-w C:\CONFIG.SYS
2007-05-19 16:33:26 0 ----a-w C:\AUTOEXEC.BAT
2007-05-19 16:32:02 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-05-19 16:31:37 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-19 16:31:34 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-19 16:31:34 -------- d-----w C:\Program Files\Online Services
2007-05-19 16:31:27 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-19 12:28:24 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-19 12:28:22 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:24 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-20 11:05:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-20 11:05:00 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-20 11:05:00 8,429,568 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-20 11:05:00 745,472 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-20 11:05:00 6,668,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-20 11:05:00 6,217,728 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-20 11:05:00 5,434,880 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-20 11:05:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-20 11:05:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-20 11:05:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-20 11:05:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-20 11:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-20 11:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-20 11:05:00 344,064 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-20 11:05:00 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-20 11:05:00 3,538,944 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-20 11:05:00 3,289,088 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-20 11:05:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-20 11:05:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-20 11:05:00 2,273,280 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-04-20 11:05:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-20 11:05:00 163,908 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-20 11:05:00 143,360 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-20 11:05:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-20 11:05:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-20 11:05:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0A7B64F5-10D9-4959-B688-17D014410B99}=C:\WINDOWS\system32\jkkjh.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-21 19:22]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-05-21 19:22]
{FB40D31A-B1F8-47EA-BC54-D27DDB475978}=C:\WINDOWS\system32\jkkiijj.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-17 02:04 C:\WINDOWS\SkyTel.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 C:\WINDOWS\system32\ico.exe]
"nwiz"="nwiz.exe" [2007-04-20 06:05 C:\WINDOWS\system32\nwiz.exe]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-14 01:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-12 02:36 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 02:43 C:\WINDOWS\Alcmtr.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-11 17:27]
"smgr"="mgrs.exe" [2007-06-29 18:52 C:\WINDOWS\mgrs.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 19:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FB40D31A-B1F8-47EA-BC54-D27DDB475978}"="C:\WINDOWS\system32\jkkiijj.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemv32]
winemv32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1d731eb-05f8-11dc-93ca-806d6172696f}]
AutoRun\command- D:\.\Bin\ASSETUP.exe

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 20:13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 20:14:52
C:\ComboFix-quarantined-files.txt ... 2007-06-29 20:14

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:28:42 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Rudy\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A7B64F5-10D9-4959-B688-17D014410B99} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {FB40D31A-B1F8-47EA-BC54-D27DDB475978} - C:\WINDOWS\system32\jkkiijj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179792402572
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winemv32 - winemv32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

rjh4th · Jun 29, 2007

here's my SAS log also.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/29/2007 at 09:34 PM

Application Version : 3.9.1008

Core Rules Database Version : 3263
Trace Rules Database Version: 1274

Scan type : Complete Scan
Total Scan Time : 00:51:17

Memory items scanned : 383
Memory threats detected : 1
Registry items scanned : 5506
Registry threats detected : 33
File items scanned : 54125
File threats detected : 9

Trojan.Downloader-MGRS
C:\WINDOWS\MGRS.EXE
C:\WINDOWS\MGRS.EXE
[smgr] C:\WINDOWS\MGRS.EXE
C:\WINDOWS\Prefetch\MGRS.EXE-34C3510A.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}
HKCR\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}
HKCR\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}\InprocServer32
HKCR\CLSID\{0A7B64F5-10D9-4959-B688-17D014410B99}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A7B64F5-10D9-4959-B688-17D014410B99}

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Rudy\Cookies\[email protected][1].txt
C:\Documents and Settings\Rudy\Cookies\[email protected][2].txt
C:\Documents and Settings\Rudy\Cookies\[email protected][1].txt
C:\Documents and Settings\Rudy\Cookies\[email protected][2].txt

Trojan.Downloader-Gen/AVP
C:\QOOBOX\QUARANTINE\C\WINDOWS\AVP.EXE.VIR

Log in or Sign up

vundo and others

rjh4th Thread Starter

rjh4th Thread Starter

rjh4th Thread Starter

Welcome to Tech Support Guy!

Log in or Sign up

vundo and others

rjh4th Thread Starter

rjh4th Thread Starter

rjh4th Thread Starter

Welcome to Tech Support Guy!

Useful Searches