Jump to content


Photo

affected by vundo.dll


  • This topic is locked This topic is locked
14 replies to this topic

#1 pvsamrat

pvsamrat

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2007 - 11:16 AM

I'm having a problem with pop up ads while online. Every time i logged in there is a message from McAfee that it is affected from vundo.dll trojan,i installed vundofix and removed it,here is the log file of vundo fix

VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 10:44:09 AM 6/6/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\lpnssncf.dll
C:\WINDOWS\system32\qidyacjg.dll
C:\WINDOWS\system32\rhwcsndx.dll
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\wvutuvu.dll
C:\WINDOWS\system32\xdnscwhr.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lpnssncf.dll
C:\WINDOWS\system32\lpnssncf.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qidyacjg.dll
C:\WINDOWS\system32\qidyacjg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rhwcsndx.dll
C:\WINDOWS\system32\rhwcsndx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\vyadd.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvutuvu.dll
C:\WINDOWS\system32\wvutuvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xdnscwhr.ini
C:\WINDOWS\system32\xdnscwhr.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lpnssncf.dll
C:\WINDOWS\system32\lpnssncf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rhwcsndx.dll
C:\WINDOWS\system32\rhwcsndx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvutuvu.dll
C:\WINDOWS\system32\wvutuvu.dll Could not be deleted.

Performing Repairs to the registry.
Done!


but during startup there appears a dialog box stating that


ERROR LOADING C:\WINDOWS\SYSTEM32\rhwcsndx.dll
CANNOT LOAD THE SPECFIED MODULE

can anybody help in resolving this problem

Please read our Forum FAQ in order to find out what info we need (HijackThislog) so we can help you.

Edited by pvsamrat, 10 June 2007 - 02:40 AM.


#2 pvsamrat

pvsamrat

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 09 June 2007 - 05:04 AM

Since just a few days, i've been experiencing my computer running extremely slow all of a sudden, and whenever i start up i get message saying mcaffee has removed the trojan "Vundo.dll". Also, whenever i am connected to the internet pop-ups appear with all kinds of nonsense. i was wondering if this had anything to do with the trojan.

I have downloaded HijackThis and done a scan, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 3:22:39 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
F:\Samrat\WordWeb\wweb32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
D:\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\rhwcsndx.dll",realset
O4 - HKLM\..\Run: [j7231634] rundll32 C:\WINDOWS\system32\j7231634.dll sook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WordWeb Pro.lnk = F:\Samrat\WordWeb\wweb32.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14D78FEB-AB3D-45CE-BE5E-73DAB5436DBC} (RdAsmIocCtrl Class) - http://immail.rediff...eX/rdasmioc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {312A8F38-5EAC-4308-89E7-39F276F42F6D} (RdBenIocCtrl Class) - http://immail.rediff...eX/rdbenioc.cab
O16 - DPF: {55FF7C5B-E99F-4159-A8D2-A443DFECE9F0} (TL_GistFontResourcesforWeb Control) - http://mail.sify.com/IE/Cab/TLData.Cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175793335218
O16 - DPF: {DF65411C-E72C-42CD-891E-1FBC1199FB7B} (RdMarIocCtrl Class) - http://immail.rediff...eX/rdmarioc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7329F43-0896-4256-9D65-E8E2D20510D5}: NameServer = 172.35.0.1,202.56.250.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1FD1FC6-BE0E-4754-9D3C-8A0000909610}: NameServer = 172.35.0.1,202.56.250.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA66115B-45A6-41FE-A439-B1DC00D6CA7E}: NameServer = 172.35.0.1,202.56.250.6
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

plz help me in removing this trojan and give necessary steps to get rid of this problem

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 09 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 June 2007 - 02:50 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 pvsamrat

pvsamrat

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 11 June 2007 - 06:44 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.



First of all thanks for your reply

I have downloaded combofix and perforformed the steps given by u
here r the log files of both combofix and new hijackthislog

ComboFix 07-06-11.3 - D:\Download\ComboFix.exe
"Administrator" - 2007-06-11 16:44:07 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\athavjkj.dll
C:\WINDOWS\system32\clypgcbc.dll
C:\WINDOWS\system32\cmwecxmo.dll
C:\WINDOWS\system32\dadbrenb.dll
C:\WINDOWS\system32\hnkbebfp.dll
C:\WINDOWS\system32\mkjonbhh.dll
C:\WINDOWS\system32\ngsvgpih.dll
C:\WINDOWS\system32\obpegywu.dll
C:\WINDOWS\system32\umcqnptb.dll
C:\WINDOWS\system32\vvfvdgbg.dll
C:\WINDOWS\system32\yyxxsvom.dll
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\ddayv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\TLFQ5BAV\www.broadcaster.com
C:\DOCUME~1\ADMINI~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\ADMINI~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\ADMINI~1\APPLIC~1\Install.dat
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\winsys.ini


((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))


2007-06-11 16:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 14:47 50,740 --a------ C:\WINDOWS\system32\igrduvyj.dll
2007-06-06 11:27 50,740 --a------ C:\WINDOWS\system32\jlkkbgdu.dll
2007-06-06 11:23 14,868 --a------ C:\WINDOWS\system32\oihwhxfh.exe
2007-06-06 10:44 <DIR> d-------- C:\VundoFix Backups
2007-06-05 09:57 2,580 --a------ C:\WINDOWS\system32\mlhknejt.exe
2007-06-04 18:03 2,580 --a------ C:\WINDOWS\system32\oywvhner.exe
2007-06-04 11:46 2,580 --a------ C:\WINDOWS\system32\pekhgaal.exe
2007-06-04 07:42 2,580 --a------ C:\WINDOWS\system32\jfslidyo.exe
2007-06-03 09:10 2,580 --a------ C:\WINDOWS\system32\nvkfihxb.exe
2007-06-02 21:20 2,580 --a------ C:\WINDOWS\system32\nrvuxcyl.exe
2007-06-02 06:36 2,580 --a------ C:\WINDOWS\system32\nuxueftl.exe
2007-05-26 09:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 07:40:44 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-22 17:12:40 -------- d-----w C:\Program Files\Winamp
2007-05-14 04:08:15 -------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-05-14 03:19:54 -------- d-----w C:\Program Files\TweakNow RegCleaner Pro
2007-05-11 15:24:43 203,776 ----a-w C:\WINDOWS\system32\clrviddc.dll
2007-05-11 15:10:36 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-05-11 15:09:32 -------- d-----w C:\Program Files\Common Files\Real
2007-05-10 06:13:45 5 ----a-w C:\WINDOWS\system32\SySCon.dat
2007-05-10 06:04:15 3,082 ----a-w C:\WINDOWS\system32\affv11300p3now.sys
2007-05-03 09:32:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\SolSuite
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 17:17:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 17:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 17:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 17:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 17:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 17:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 17:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 17:15:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 17:14:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 17:14:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2006-09-19 08:20:17 10 --sha-r C:\WINDOWS\system32\sistem.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{FFFFFEF0-5B30-21D4-945D-000000000000}=C:\PROGRA~1\STARDO~1\SDIEInt.dll [2004-11-29 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [2005-03-23 15:47]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-11 20:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-07 14:08]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-03-23 16:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvutuvu]
wvutuvu.dll


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 16:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-11 16:54:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-11 16:54

--- E O F ---
-----------------------------------------------------------------------------------------------------------------------
here is the log file of hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 4:57:27 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
F:\Samrat\WordWeb\wweb32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Download\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WordWeb Pro.lnk = F:\Samrat\WordWeb\wweb32.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14D78FEB-AB3D-45CE-BE5E-73DAB5436DBC} (RdAsmIocCtrl Class) - http://immail.rediff...eX/rdasmioc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {312A8F38-5EAC-4308-89E7-39F276F42F6D} (RdBenIocCtrl Class) - http://immail.rediff...eX/rdbenioc.cab
O16 - DPF: {55FF7C5B-E99F-4159-A8D2-A443DFECE9F0} (TL_GistFontResourcesforWeb Control) - http://mail.sify.com/IE/Cab/TLData.Cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175793335218
O16 - DPF: {DF65411C-E72C-42CD-891E-1FBC1199FB7B} (RdMarIocCtrl Class) - http://immail.rediff...eX/rdmarioc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7329F43-0896-4256-9D65-E8E2D20510D5}: NameServer = 172.35.0.1,202.56.250.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1FD1FC6-BE0E-4754-9D3C-8A0000909610}: NameServer = 172.35.0.1,202.56.250.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA66115B-45A6-41FE-A439-B1DC00D6CA7E}: NameServer = 172.35.0.1,202.56.250.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvutuvu - wvutuvu.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

Edited by pvsamrat, 11 June 2007 - 06:47 AM.


#6 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 June 2007 - 07:14 AM

Hi,

Why did you download Combofix to your D:\ instead of your C:\ ? This *may* interfere with some fixes though.
So please move combofix to your desktop as I requested previously. This was with a reason I asked this :)

Then, Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\igrduvyj.dll
C:\WINDOWS\system32\jlkkbgdu.dll
C:\WINDOWS\system32\oihwhxfh.exe
C:\WINDOWS\system32\mlhknejt.exe
C:\WINDOWS\system32\oywvhner.exe
C:\WINDOWS\system32\pekhgaal.exe
C:\WINDOWS\system32\jfslidyo.exe
C:\WINDOWS\system32\nvkfihxb.exe
C:\WINDOWS\system32\nrvuxcyl.exe
C:\WINDOWS\system32\nuxueftl.exe
C:\WINDOWS\system32\sistem.sys

Folder::
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}"=-
"{0BF43445-2F28-4351-9252-17FE6E806AA0}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvutuvu]


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 pvsamrat

pvsamrat

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 11 June 2007 - 07:26 AM

Is there any problem or shall i again download combofix to desktop and run a scan or can i just move the folder from D:\ to desktop

#8 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 June 2007 - 07:37 AM

Do not move any Combofix folders - you need to move Combofix.exe
It may be better to redownload again to avoid confusion :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 pvsamrat

pvsamrat

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 11 June 2007 - 08:03 AM

ya downloaded combofix to desktop and followed the steps

here r the logs of combofix and hijack this

ComboFix 07-06-11.3 - C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
"Administrator" - 2007-06-11 18:10:28 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Administrator\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\ddayv.dll.bad
C:\VundoFix Backups\qidyacjg.dll.bad
C:\VundoFix Backups\rhwcsndx.dll.bad
C:\VundoFix Backups\vyadd.bak1.bad
C:\VundoFix Backups\vyadd.bak2.bad
C:\VundoFix Backups\vyadd.ini.bad
C:\VundoFix Backups\vyadd.ini2.bad
C:\VundoFix Backups\vyadd.tmp.bad
C:\VundoFix Backups\xdnscwhr.ini.bad
C:\WINDOWS\system32\igrduvyj.dll
C:\WINDOWS\system32\jfslidyo.exe
C:\WINDOWS\system32\jlkkbgdu.dll
C:\WINDOWS\system32\mlhknejt.exe
C:\WINDOWS\system32\nrvuxcyl.exe
C:\WINDOWS\system32\nuxueftl.exe
C:\WINDOWS\system32\nvkfihxb.exe
C:\WINDOWS\system32\oihwhxfh.exe
C:\WINDOWS\system32\oywvhner.exe
C:\WINDOWS\system32\pekhgaal.exe
C:\WINDOWS\system32\sistem.sys


((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))


2007-06-11 16:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-26 09:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 07:40:44 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-22 17:12:40 -------- d-----w C:\Program Files\Winamp
2007-05-14 04:08:15 -------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-05-14 03:19:54 -------- d-----w C:\Program Files\TweakNow RegCleaner Pro
2007-05-11 15:24:43 203,776 ----a-w C:\WINDOWS\system32\clrviddc.dll
2007-05-11 15:10:36 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-05-11 15:09:32 -------- d-----w C:\Program Files\Common Files\Real
2007-05-10 06:13:45 5 ----a-w C:\WINDOWS\system32\SySCon.dat
2007-05-10 06:04:15 3,082 ----a-w C:\WINDOWS\system32\affv11300p3now.sys
2007-05-03 09:32:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\SolSuite
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 17:17:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 17:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 17:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 17:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 17:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 17:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 17:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 17:15:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 17:14:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 17:14:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{FFFFFEF0-5B30-21D4-945D-000000000000}=C:\PROGRA~1\STARDO~1\SDIEInt.dll [2004-11-29 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [2005-03-23 15:47]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-11 20:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-07 14:08]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 18:14:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-11 18:17:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-11 18:16
C:\ComboFix2.txt ... 2007-06-11 16:54

--- E O F ---
---------------------------------------------------------------------------------------------------------------------

here is the log of hijack this
--------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:22:43 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
F:\Samrat\WordWeb\wweb32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
D:\Download\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WordWeb Pro.lnk = F:\Samrat\WordWeb\wweb32.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14D78FEB-AB3D-45CE-BE5E-73DAB5436DBC} (RdAsmIocCtrl Class) - http://immail.rediff...eX/rdasmioc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {312A8F38-5EAC-4308-89E7-39F276F42F6D} (RdBenIocCtrl Class) - http://immail.rediff...eX/rdbenioc.cab
O16 - DPF: {55FF7C5B-E99F-4159-A8D2-A443DFECE9F0} (TL_GistFontResourcesforWeb Control) - http://mail.sify.com/IE/Cab/TLData.Cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175793335218
O16 - DPF: {DF65411C-E72C-42CD-891E-1FBC1199FB7B} (RdMarIocCtrl Class) - http://immail.rediff...eX/rdmarioc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7329F43-0896-4256-9D65-E8E2D20510D5}: NameServer = 172.35.0.1,202.56.250.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1FD1FC6-BE0E-4754-9D3C-8A0000909610}: NameServer = 172.35.0.1,202.56.250.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA66115B-45A6-41FE-A439-B1DC00D6CA7E}: NameServer = 172.35.0.1,202.56.250.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

#10 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 June 2007 - 08:15 AM

Hi,

That worked...
Your log looks clean again. :)

Delete next folder: C:\Qoobox

Sidenote: I see you have TweakNow RegCleaner installed... I do not recommend Regcleaners - except if you have a good basic knowledge about the registry and you know what you may delete or not. This because a lot of regcleaners do delete keys and values they are not supposed to delete - causing a corrupted registry, programs not working anymore etc..
So really be careful when you use regcleaners. It's not the first time that someone had to format and reinstall Windows because they used a regcleaner previously.
Using regcleaners in XP won't improve system speed anyway - you won't notice difference in system speed even if the registry is heavily fragmented.
I think if registry cleaners were really that necessary - then Microsoft would have added that option in the first place. The same as it added the disk clean utility and defragment utility.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#11 pvsamrat

pvsamrat

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 11 June 2007 - 08:23 AM

Thanks dude

those pop-up's are not opening now,by the way can i know the reason from where these vundo.dll trojan comes,i mean from any site or any software

#12 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 June 2007 - 08:28 AM

In most cases, people get infected with it when they are visiting bad sites, for example cracksites and other illegal sites - or download software via p2p programs. Because after all, every piece of software that is getting installed not via the official site may be a risk - especially pirated versions.

Also, a lot of people get infected with it after they installed a screensaver. Screensaver sites in general are always a risk as well.

Anyway,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 pvsamrat

pvsamrat

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 11 June 2007 - 08:48 AM

does this trojan comes through torrents,can i download torrents

#14 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 June 2007 - 09:02 AM

As I said previously, every software/whatever downloaded not from the original site is a risk... especially via p2p/torrents
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 20 June 2007 - 04:46 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button