Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 And Vundo Trojans - Hijak Log Included


  • This topic is locked This topic is locked
7 replies to this topic

#1 VundoHater

VundoHater

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 30 March 2007 - 08:04 PM

Hello.

I have been struggling to get rid of this Vundo trojan. It seemed to have gone away for about an hour, and then it came back under the name Win32.
I have run Vundo fix and Virtumundo. Apparently neither have worked, because it's still here! I've run virus scans, etc.
Here is my hijak log file:


Logfile of HijackThis v1.99.1
Scan saved at 8:45:48 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hp\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {325397A5-238E-4196-9711-89FE868917Aa} - C:\WINDOWS\system32\xouxxdde.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\nhfqrgdd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\ssqoool.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {99632596-7336-4605-A1AC-9951F09CC5C4} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {C21B5D96-7C1F-4086-A47C-11C603242D19} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: (no name) - {DFDCCD3A-7E35-4D4A-8AA6-34FED210FDE5} - C:\WINDOWS\system32\awvvw.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\anpgajjc.dll",setvm
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)


I really hope someone can help me....
Also, in the process of attempting to remove Vundo, Vundo Fixer deleted a .DLL file that Windows tells me about every time I start my computer. Any knowledge on that would be great.

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:37 PM

Posted 01 April 2007 - 01:38 PM

Hello VundoHater,

I am SifuMike and I will be helping you. :thumbsup:

I need you to rename Hijackthis because I believe that you may have the Vundo infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
    C:\Documents and Settings\hp\Desktop\HijackThis.exe
  • Right-click on it, then select Rename.
  • Name it something like: AnalyzeThis.exe (or whatever you want)
  • Then double-click AnalyzeThis.exe to scan and then post the new logfile (after you have done the following).
******************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
******************

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.


******************

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt, ComboFix log and a new HiJackThis log.

Edited by SifuMike, 01 April 2007 - 01:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 VundoHater

VundoHater
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 01 April 2007 - 07:41 PM

Hi!
Thanks for your reply.

Vundo fix did not find any infected files. The frequency of pop-ups has minimized, but I would like to make sure that the entire infection is gone.

Here is the Combofix log:
"hp" - 07-04-01 20:31:12 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\hp\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\hp\Desktop\internet.lnk
C:\WINDOWS\system32\ddccd.dll
C:\Program Files\vsadd-in


((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 ))))))))))))))))))))))))))))))))))


2007-04-01 20:25 <DIR> d-------- C:\Program Files\Java
2007-04-01 20:24 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-31 13:32 98,983 --a------ C:\WINDOWS\system32\awtqr.dll
2007-03-31 13:32 253,743 --a------ C:\WINDOWS\system32\awtqq.dll
2007-03-31 09:44 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-30 20:51 767,457 ---hs---- C:\WINDOWS\system32\acbeg.bak1
2007-03-30 20:51 132,116 --a------ C:\WINDOWS\system32\eehtrgls.dll
2007-03-30 20:50 280,676 --ahs---- C:\WINDOWS\system32\gebca.dll.vir
2007-03-30 19:25 767,417 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-03-30 19:25 132,116 --a------ C:\WINDOWS\system32\xouxxdde.dll
2007-03-30 19:24 280,676 --ahs---- C:\WINDOWS\system32\sstqq.dll.vir
2007-03-30 17:29 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-03-30 17:16 767,457 ---hs---- C:\WINDOWS\system32\nmllm.bak1
2007-03-30 17:16 132,116 --a------ C:\WINDOWS\system32\hrlqrmek.dll
2007-03-30 17:15 280,676 --ahs---- C:\WINDOWS\system32\mllmn.dll.vir
2007-03-30 16:56 <DIR> d-------- C:\VundoFix Backups
2007-03-30 16:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-03-29 20:52 132,116 --a------ C:\WINDOWS\system32\qwhxocsu.dll
2007-03-29 20:17 767,417 ---hs---- C:\WINDOWS\system32\uvvwa.bak1
2007-03-29 19:20 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-03-29 19:20 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-03-29 19:20 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-03-29 19:20 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-03-29 19:20 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-03-29 19:20 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-03-29 19:20 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-03-29 19:20 <DIR> d-------- C:\Program Files\Alwil Software
2007-03-29 04:07 <DIR> d-------- C:\10c493bd962ac12c15
2007-03-28 21:44 791,574 ---hs---- C:\WINDOWS\system32\cbadd.bak2
2007-03-28 16:20 <DIR> d-------- C:\Program Files\PartyGaming
2007-03-28 13:59 <DIR> d-------- C:\DOCUME~1\hp\ppDir
2007-03-28 13:57 <DIR> d-------- C:\WINDOWS\Sun
2007-03-28 13:57 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Sun
2007-03-28 08:14 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-03-28 08:14 <DIR> d-------- C:\6a019ed90d6247c9b2439f
2007-03-28 08:05 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-03-27 23:16 <DIR> d-------- C:\WINDOWS\pss
2007-03-27 22:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-27 21:35 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\SpywareBot
2007-03-27 20:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-03-27 20:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-03-27 20:07 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-03-27 20:04 886,920 ---hs---- C:\WINDOWS\system32\cbadd.bak1
2007-03-27 20:04 132,116 --a------ C:\WINDOWS\system32\prmelbiy.dll
2007-03-27 19:58 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2007-03-27 19:57 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2007-03-27 19:57 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-27 19:54 <DIR> d-------- C:\WINDOWS\cache
2007-03-27 19:54 <DIR> d-------- C:\Program Files\Rogers
2007-03-27 19:51 81,920 -ra------ C:\WINDOWS\system32\yieinst.dll
2007-03-27 19:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-27 19:47 <DIR> d-------- C:\DOCUME~1\hp\Contacts
2007-03-27 19:46 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-03-27 19:46 <DIR> d-------- C:\Program Files\MSN Messenger
2007-03-27 19:35 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\AdobeUM
2007-03-27 19:34 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-03-27 19:34 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Adobe
2007-03-27 17:30 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-03-25 14:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-03-25 14:03 <DIR> d-------- C:\WINDOWS\ShellNew
2007-03-23 20:13 401,484 --a------ C:\WINDOWS\system32\msvcrtd.dll
2007-03-23 20:13 246 --a------ C:\WINDOWS\PowerReg.dat
2007-03-23 20:11 <DIR> d-------- C:\Program Files\MicroProse
2007-03-21 20:08 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Sonic
2007-03-21 20:08 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Leadertech
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-23 20:11 -------- d--h----- C:\Program Files\installshield installation information
2007-02-14 15:51 -------- d-------- C:\Program Files\kodak
2007-02-14 15:51 -------- d-------- C:\Program Files\Common Files\kodak
2007-02-13 21:49 -------- d-------- C:\Program Files\the messenger
2007-02-13 17:26 -------- d-------- C:\Program Files\quicken
2007-02-11 14:29 -------- d-------- C:\Program Files\quicktime
2007-02-11 14:29 -------- d-------- C:\Program Files\itunes
2007-02-11 14:29 -------- d-------- C:\Program Files\ipod
2007-02-11 14:29 -------- d-------- C:\DOCUME~1\hp\APPLIC~1\apple computer
2007-02-11 11:28 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-02-11 11:28 2272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-02-09 22:30 -------- d-------- C:\DOCUME~1\hp\APPLIC~1\hp
2007-02-09 22:30 -------- d-------- C:\DOCUME~1\hp\APPLIC~1\cyberlink
2007-01-29 14:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-29 14:25 50 --a------ C:\AUTOEXEC.BAT
2007-01-29 14:14 87275 --a------ C:\WINDOWS\hpqins69.dat
2007-01-29 13:37 0 -rahs---- C:\MSDOS.SYS
2007-01-29 13:37 0 -rahs---- C:\IO.SYS
2007-01-29 13:37 0 --a------ C:\CONFIG.SYS
2007-01-29 13:34 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-01-29 05:04 62 --ahs---- C:\DOCUME~1\hp\APPLIC~1\desktop.ini
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Update Manager"="\"C:\\Program Files\\Rogers\\Update Manager\\UpdateManager.exe\" /background"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"QPService"="\"C:\\Program Files\\HP\\QuickPlay\\QPService.exe\""
@=""
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????c????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-01 20:33:20



Here is the renamed Hijak log:

Logfile of HijackThis v1.99.1
Scan saved at 20:38, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hp\Desktop\Renamed.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {325397A5-238E-4196-9711-89FE868917Aa} - C:\WINDOWS\system32\eehtrgls.dll
O2 - BHO: (no name) - {4A98FA2B-A08A-4B1E-BE04-0A503E6BC21E} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\ssqoool.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {99632596-7336-4605-A1AC-9951F09CC5C4} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {C21B5D96-7C1F-4086-A47C-11C603242D19} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: (no name) - {DFDCCD3A-7E35-4D4A-8AA6-34FED210FDE5} - C:\WINDOWS\system32\awvvw.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)




Thanks again!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:37 PM

Posted 01 April 2007 - 08:04 PM

Hi,

Please post the C:\vundofix.txt, it may give me a clue as what why it did not work. :thumbsup:

Edited by SifuMike, 01 April 2007 - 08:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 VundoHater

VundoHater
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 01 April 2007 - 09:29 PM

Hi.

I can't post a log from Vundo Fix because it says that Vundo is not found. It has nothing to post.

What next? lol

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:37 PM

Posted 01 April 2007 - 09:33 PM

Try this:
Move Vubdofix.exe to the root directory, usually C: drive and run it as a task from there, post results back here please. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:37 PM

Posted 01 April 2007 - 10:30 PM

Hi VundoHater,

Download Pocket Killbox Do NOT run it yet, we will need it later.
http://www.atribune.org/downloads/KillBox.exe


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

O2 - BHO: (no name) - {325397A5-238E-4196-9711-89FE868917Aa} - C:\WINDOWS\system32\eehtrgls.dll
O2 - BHO: (no name) - {4A98FA2B-A08A-4B1E-BE04-0A503E6BC21E} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\ssqoool.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {99632596-7336-4605-A1AC-9951F09CC5C4} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {C21B5D96-7C1F-4086-A47C-11C603242D19} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: (no name) - {DFDCCD3A-7E35-4D4A-8AA6-34FED210FDE5} - C:\WINDOWS\system32\awvvw.dll (file missing)




*******************************************

Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the following in the Code box:

C:\WINDOWS\system32\awtqr.dll
 C:\WINDOWS\system32\awtqq.dll
 C:\WINDOWS\system32\acbeg.bak1
 C:\WINDOWS\system32\eehtrgls.dll
 C:\WINDOWS\system32\gebca.dll.vir
 C:\WINDOWS\system32\qqtss.bak1
 C:\WINDOWS\system32\xouxxdde.dll
 C:\WINDOWS\system32\sstqq.dll.vir
 C:\WINDOWS\system32\nmllm.bak1
 C:\WINDOWS\system32\hrlqrmek.dll
 C:\WINDOWS\system32\mllmn.dll.vir
 C:\WINDOWS\system32\qwhxocsu.dll
 C:\WINDOWS\system32\uvvwa.bak1


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

Do not use the "Issues" block . It's meant for professionals.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, run ComboFix, post the ComboFix log, post new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 01 April 2007 - 10:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:37 PM

Posted 08 April 2007 - 02:30 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users