It looks like I am infected with Trujan.Vundo.H and Torjan.BHO.H. Here is the HijackThis log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:10 PM, on 2/18/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\CA\SC\CAM\bin\cam.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files (x86)\CA\DSM\bin\caf.exe
C:\Program Files (x86)\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files (x86)\CA\DSM\Bin\ccnfagent.exe
C:\Program Files (x86)\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files (x86)\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files (x86)\CA\DSM\Bin\amswmagt.exe
C:\Program Files (x86)\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files (x86)\CA\DSM\Bin\cfftplugin.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Bomgar\Representative\supportdesk.activant.com\bomgar-rep.exe
C:\Program Files (x86)\RightFax\Client\English\FAXCTRL.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {c5df1b54-bb50-49fb-9976-cd09e0343368} - C:\WINDOWS\SysWow64\zoloyiru.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files (x86)\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files (x86)\CA\DSM\bin\cfSysTray.exe"
O4 - HKLM\..\Run: [CAF_usrntf] "C:\Program Files (x86)\CA\DSM\Bin\cfusrntf.exe"
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files (x86)\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [kohetibepu] Rundll32.exe "C:\WINDOWS\system32\jatupuni.dll",s
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files (x86)\Pidgin\pidgin.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Backup Misc.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup Misc.bat
O4 - Startup: Backup My Documents.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup My Documents.bat
O4 - Startup: Backup Outlook Files.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup Outlook Files.bat
O4 - Global Startup: Bomgar Representative Client [supportdesk.activant.com].lnk = C:\Program Files (x86)\Bomgar\Representative\supportdesk.activant.com\bomgar-rep.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: RightFax system tray icon.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229543613589
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229543608011
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corporate-domain.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corporate-domain.net
O20 - AppInit_DLLs: C:\WINDOWS\SysWow64\zoloyiru.dll,C:\WINDOWS\system32\kegayezu.dll,C:\WINDOWS\system32\huhiluna.dll
O20 - Winlogon Notify: CAF - C:\Program Files (x86)\CA\DSM\Bin\cfwlogon.dll
O23 - Service: Archive Queue - Unknown owner - C:\Program Files (x86)\Prophet 21\DBArchive\ArchiveQueue\ArchiveQueueService.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files (x86)\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files (x86)\CA\DSM\bin\caf.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98566310f66af) (gupdate1c98566310f66af) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Request Queue - Unknown owner - C:\Program Files (x86)\Prophet 21\DBArchive\RequestQueue\RequestQueueService.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 9741 bytes
Full Version: Help fix my work computer
Here is the MalwareBytes log:
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.2.3790 Service Pack 2
2/18/2009 1:59:42 PM
mbam-log-2009-02-18 (13-59-42).txt
Scan type: Quick Scan
Objects scanned: 93312
Time elapsed: 4 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kohetibepu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SysWOW64\zoloyiru.dll (Trojan.BHO.H) -> Delete on reboot.
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.2.3790 Service Pack 2
2/18/2009 1:59:42 PM
mbam-log-2009-02-18 (13-59-42).txt
Scan type: Quick Scan
Objects scanned: 93312
Time elapsed: 4 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kohetibepu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SysWOW64\zoloyiru.dll (Trojan.BHO.H) -> Delete on reboot.
I assume this is Windows XP 64-bit Edition at least according to the build number.
Have you rebooted and then rescanned the system again with MBAM?
Have you rebooted and then rescanned the system again with MBAM?
You are correct, this is a Windows XP 64-bit edition.
These scans are after several attempts of running MBAM, deleting of files and rebooting.
-Mark
These scans are after several attempts of running MBAM, deleting of files and rebooting.
-Mark
Please try running this AV scanner.
Please download to your Desktop: Dr.Web CureIt
Please download to your Desktop: Dr.Web CureIt
- After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
- Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click on the Complete scan radio button.
- Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
- Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
- On the File types tab ensure you select All files
- Click on the Actions tab and set the following:
- Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
- Infected packages Archive = Move, E-mails = Report, Containers = Move
- Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
- Do not change the Rename extension - default is: #??
- Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
- Leave prompt on Action checked
- On the Log file tab leave the Log to file checked.
- Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
- Log mode = Append
- Encoding = ANSI
- Details Leave Names of file packers and Statistics checked.
- Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
- On the General tab leave the Scan Priority on High
- Click the Apply button at the bottom, and then the OK button.
- On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
- In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
- The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
- When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
- Click 'Yes to all' if it asks if you want to cure/move the files.
- This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your Desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
Dr. Web Cure-it did not find anything for either of the two runs. I have attached the log file from that to this reply:
Here is the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:43 PM, on 2/19/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\CA\SC\CAM\bin\cam.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files (x86)\CA\DSM\bin\caf.exe
C:\Program Files (x86)\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files (x86)\CA\DSM\Bin\ccnfagent.exe
C:\Program Files (x86)\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files (x86)\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files (x86)\CA\DSM\Bin\amswmagt.exe
C:\Program Files (x86)\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files (x86)\CA\DSM\Bin\cfftplugin.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Bomgar\Representative\supportdesk.activant.com\bomgar-rep.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\RightFax\Client\English\FAXCTRL.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {c5df1b54-bb50-49fb-9976-cd09e0343368} - C:\WINDOWS\SysWow64\zoloyiru.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files (x86)\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files (x86)\CA\DSM\bin\cfSysTray.exe"
O4 - HKLM\..\Run: [CAF_usrntf] "C:\Program Files (x86)\CA\DSM\Bin\cfusrntf.exe"
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files (x86)\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM07746854] Rundll32.exe "c:\windows\system32\hitakire.dll",a
O4 - HKLM\..\Run: [kohetibepu] Rundll32.exe "C:\WINDOWS\system32\jatupuni.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files (x86)\Pidgin\pidgin.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Backup Misc.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup Misc.bat
O4 - Startup: Backup My Documents.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup My Documents.bat
O4 - Startup: Backup Outlook Files.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup Outlook Files.bat
O4 - Global Startup: Bomgar Representative Client [supportdesk.activant.com].lnk = C:\Program Files (x86)\Bomgar\Representative\supportdesk.activant.com\bomgar-rep.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: RightFax system tray icon.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O15 - Trusted Zone: http://sharepoint.activant.com
O15 - Trusted Zone: http://*.activant.com
O15 - Trusted Zone: http://project.corporate-domain.net
O15 - Trusted Zone: http://sharepoint.corporate-domain.net
O15 - Trusted Zone: http://*.corporate-domain.net
O15 - Trusted Zone: http://destro.speedware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229543613589
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229543608011
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corporate-domain.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corporate-domain.net
O20 - AppInit_DLLs: C:\WINDOWS\SysWow64\zoloyiru.dll C:\WINDOWS\system32\kegayezu.dll C:\WINDOWS\system32\huhiluna.dll c:\windows\system32\hitakire.dll
O20 - Winlogon Notify: CAF - C:\Program Files (x86)\CA\DSM\Bin\cfwlogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\hitakire.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\hitakire.dll
O23 - Service: Archive Queue - Unknown owner - C:\Program Files (x86)\Prophet 21\DBArchive\ArchiveQueue\ArchiveQueueService.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files (x86)\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files (x86)\CA\DSM\bin\caf.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98566310f66af) (gupdate1c98566310f66af) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Request Queue - Unknown owner - C:\Program Files (x86)\Prophet 21\DBArchive\RequestQueue\RequestQueueService.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 10235 bytes
Here is the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:43 PM, on 2/19/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\CA\SC\CAM\bin\cam.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files (x86)\CA\DSM\bin\caf.exe
C:\Program Files (x86)\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files (x86)\CA\DSM\Bin\ccnfagent.exe
C:\Program Files (x86)\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files (x86)\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files (x86)\CA\DSM\Bin\amswmagt.exe
C:\Program Files (x86)\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files (x86)\CA\DSM\Bin\cfftplugin.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Bomgar\Representative\supportdesk.activant.com\bomgar-rep.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\RightFax\Client\English\FAXCTRL.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {c5df1b54-bb50-49fb-9976-cd09e0343368} - C:\WINDOWS\SysWow64\zoloyiru.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files (x86)\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files (x86)\CA\DSM\bin\cfSysTray.exe"
O4 - HKLM\..\Run: [CAF_usrntf] "C:\Program Files (x86)\CA\DSM\Bin\cfusrntf.exe"
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files (x86)\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM07746854] Rundll32.exe "c:\windows\system32\hitakire.dll",a
O4 - HKLM\..\Run: [kohetibepu] Rundll32.exe "C:\WINDOWS\system32\jatupuni.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files (x86)\Pidgin\pidgin.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Backup Misc.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup Misc.bat
O4 - Startup: Backup My Documents.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup My Documents.bat
O4 - Startup: Backup Outlook Files.lnk = C:\Documents and Settings\mark.starkman\My Documents\Utilities\Backup Outlook Files.bat
O4 - Global Startup: Bomgar Representative Client [supportdesk.activant.com].lnk = C:\Program Files (x86)\Bomgar\Representative\supportdesk.activant.com\bomgar-rep.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: RightFax system tray icon.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O15 - Trusted Zone: http://sharepoint.activant.com
O15 - Trusted Zone: http://*.activant.com
O15 - Trusted Zone: http://project.corporate-domain.net
O15 - Trusted Zone: http://sharepoint.corporate-domain.net
O15 - Trusted Zone: http://*.corporate-domain.net
O15 - Trusted Zone: http://destro.speedware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229543613589
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229543608011
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corporate-domain.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corporate-domain.net
O20 - AppInit_DLLs: C:\WINDOWS\SysWow64\zoloyiru.dll C:\WINDOWS\system32\kegayezu.dll C:\WINDOWS\system32\huhiluna.dll c:\windows\system32\hitakire.dll
O20 - Winlogon Notify: CAF - C:\Program Files (x86)\CA\DSM\Bin\cfwlogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\hitakire.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\hitakire.dll
O23 - Service: Archive Queue - Unknown owner - C:\Program Files (x86)\Prophet 21\DBArchive\ArchiveQueue\ArchiveQueueService.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files (x86)\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files (x86)\CA\DSM\bin\caf.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98566310f66af) (gupdate1c98566310f66af) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Request Queue - Unknown owner - C:\Program Files (x86)\Prophet 21\DBArchive\RequestQueue\RequestQueueService.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 10235 bytes
Next I ran MBAM and removed some stuff and then rebooted then ran it again. Here is the first log:
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.2.3790 Service Pack 2
2/19/2009 12:55:44 PM
mbam-log-2009-02-19 (12-55-44).txt
Scan type: Quick Scan
Objects scanned: 93963
Time elapsed: 6 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\hitakire.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm07746854 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kohetibepu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hitakire.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\hitakire.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\hitakire.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SysWOW64\zoloyiru.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\SysWOW64\hitakire.dll (Trojan.BHO) -> Delete on reboot.
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.2.3790 Service Pack 2
2/19/2009 12:55:44 PM
mbam-log-2009-02-19 (12-55-44).txt
Scan type: Quick Scan
Objects scanned: 93963
Time elapsed: 6 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\hitakire.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm07746854 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kohetibepu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hitakire.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\hitakire.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\hitakire.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SysWOW64\zoloyiru.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\SysWOW64\hitakire.dll (Trojan.BHO) -> Delete on reboot.
Here is the second log:
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.2.3790 Service Pack 2
2/19/2009 1:13:21 PM
mbam-log-2009-02-19 (13-13-21).txt
Scan type: Quick Scan
Objects scanned: 93496
Time elapsed: 5 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kohetibepu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SysWOW64\zoloyiru.dll (Trojan.BHO.H) -> Delete on reboot.
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.2.3790 Service Pack 2
2/19/2009 1:13:21 PM
mbam-log-2009-02-19 (13-13-21).txt
Scan type: Quick Scan
Objects scanned: 93496
Time elapsed: 5 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5df1b54-bb50-49fb-9976-cd09e0343368} (Trojan.BHO.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kohetibepu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SysWOW64\zoloyiru.dll (Trojan.BHO.H) -> Delete on reboot.
Well this isn't going to stop it as there is a Parent process hiding that is renaming the files
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.
Download this tool, then shut down and restart, then make sure ALL applications are closed before running it.
Please download the following scanning tool. GMER
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.
- O2 - BHO: (no name) - {c5df1b54-bb50-49fb-9976-cd09e0343368} - C:\WINDOWS\SysWow64\zoloyiru.dll
- O4 - HKLM\..\Run: [CPM07746854] Rundll32.exe "c:\windows\system32\hitakire.dll",a
- O4 - HKLM\..\Run: [kohetibepu] Rundll32.exe "C:\WINDOWS\system32\jatupuni.dll",s
- O20 - AppInit_DLLs: C:\WINDOWS\SysWow64\zoloyiru.dll C:\WINDOWS\system32\kegayezu.dll C:\WINDOWS\system32\huhiluna.dll c:\windows\system32\hitakire.dll
- O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\hitakire.dll
- O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\hitakire.dll
Then Quit All Browsers including the one you're reading this in now.
Then click on Fix checked and then quit HJT
Download this tool, then shut down and restart, then make sure ALL applications are closed before running it.
Please download the following scanning tool. GMER
- Open the zip file and copy the file gmer.exe to your Desktop.
- Double click on gmer.exe and run it.
- It may take a minute to load and become available.
- Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
- Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
- Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
- DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
- Click OK and quit the GMER program.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
Attached is the GMER log file
Please retry the scanner. That does not appear to be a full scan.
You can try this one if GMER is still blank.
RootRepeal - Rootkit Detector
You can try this one if GMER is still blank.
RootRepeal - Rootkit Detector
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
Thanks for all of your help. I was able to get rid of the virus by using Autoruns (from sysinternals), disconnecting from the network and deleting all of the files that it created.
Thanks,
Mark
Thanks,
Mark
Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Other members who need assistance please start your own topic in a new thread. Thanks!
The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.