Vundo Attack!

panget · August 2008

Hello. Please help me solve this problem. I'm attacked by trojans. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:02 PM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BM8ba9284a] Rundll32.exe "C:\WINDOWS\system32\mobwfule.dll",s
O4 - HKLM\..\Run: [889a1bd6] rundll32.exe "C:\WINDOWS\system32\kuksaian.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4555 bytes

Katana · August 2008

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

AntiVirus
You appear to have McAfee and avast
First you should know that you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

panget · August 2008

Uninstalled programs:

Ad-Aware
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Media Player
Adobe Media Player
Adobe Photoshop CS2
Adobe Reader 6.0
Adobe Stock Photos 1.0
Apollo 3GP Video Converter 2.0.5
Apollo DVD to 3GP 2.0.5
avast! Antivirus
Browser Optimizer Dcads
Compatibility Pack for the 2007 Office system
Dcads Games Collection
EPSON Printer Software
FrostWire 4.13.1.2 BETA
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 5
K-Lite Codec Pack 2.71 Full
kondge_netphone_sipsms
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.16)
Nero Suite
NVIDIA Drivers
OpenOffice.org Installer 1.0
Opera 9.51
QuickTime
Realtek High Definition Audio Driver
Spybot - Search & Destroy
Windows Installer 3.1 (KB893803)
WinRAR archiver
WinZip
Yahoo! Messenger

Malwarebytes' log:

Malwarebytes' Anti-Malware 1.24
Database version: 1058
Windows 5.1.2600 Service Pack 2

11:56:17 PM 8/16/2008
mbam-log-8-16-2008 (23-56-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 64894
Time elapsed: 30 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 9
Registry Keys Infected: 21
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 52

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\aahxulga.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\boikdxua.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\efcDsPJB.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\cvtsdtes.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nywbekmo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vilkle.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xxyvuSjI.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\eokhnrfh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\auufjy.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28b8ae95-1bda-4b91-8255-289677305e2e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{28b8ae95-1bda-4b91-8255-289677305e2e} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{efa2b0ba-b39f-4fd9-adb0-23e07acb7805} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{efa2b0ba-b39f-4fd9-adb0-23e07acb7805} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{877fb8c9-2ef3-4b96-b2b1-7ce2cb857fd0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{877fb8c9-2ef3-4b96-b2b1-7ce2cb857fd0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvusji (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\rotator.gizmo3 (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\rotator.gizmo3.1 (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\superiorads (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\889a1bd6 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm8ba9284a (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{877fb8c9-2ef3-4b96-b2b1-7ce2cb857fd0} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcdspjb -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcdspjb -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vilkle.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\efcDsPJB.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\BJPsDcfe.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\BJPsDcfe.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\aahxulga.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\agluxhaa.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\boikdxua.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\auxdkiob.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\cvtsdtes.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nywbekmo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xxyvuSjI.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\eokhnrfh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\auufjy.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NP0QRUQG\kb671231[2] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OPEB01Q3\kb456456[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OPEB01Q3\vy0a[1].dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SLQJCHI7\kb767887[1] (Trojan.Vundo) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080814-013430-351.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080814-013457-746.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080814-224820-605.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{BDC50184-5C3E-4E63-8B6C-7816D08A35F7}\RP42\A0014569.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{BDC50184-5C3E-4E63-8B6C-7816D08A35F7}\RP44\A0016895.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{BDC50184-5C3E-4E63-8B6C-7816D08A35F7}\RP44\A0016896.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{BDC50184-5C3E-4E63-8B6C-7816D08A35F7}\RP46\A0017071.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{BDC50184-5C3E-4E63-8B6C-7816D08A35F7}\RP46\A0017077.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fgnbhqeq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\krruchgu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ldejhaah.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mcyjsbpm.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qkytobti.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\vogvtruc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\bagghoca.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\curlqobs.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\efcArRkJ.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\eowhyxym.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gvsbqupt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hcpvfpla.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hgxmhuqo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nljxfn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mvtfapcq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\superiorads-uninst.exe (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\cmd.com (Worm.Alcra) -> No action taken.
C:\WINDOWS\system32\netstat.com (Worm.Alcra) -> No action taken.
C:\WINDOWS\system32\ping.com (Worm.Alcra) -> No action taken.
C:\WINDOWS\system32\tasklist.com (Worm.Alcra) -> No action taken.
C:\WINDOWS\system32\tracert.com (Worm.Alcra) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM8ba9284a.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM8ba9284a.txt (Trojan.Vundo) -> No action taken.

Katana · August 2008

-> No action taken.

Did you allow MBAM to fix the items it found ?

Your Java and Adobe is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java and Adobe components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u7 from http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 7 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Update Adobe Acrobat Reader

Please go to this link Adobe Acrobat Reader Download Link
Cllick Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

Adobe Reader 6.0
J2SE Runtime Environment 5.0 Update 9

Now close the Control Panel.

Reboot your machine.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

A Fresh HJT Log
How are things running now ?

panget · August 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:04:44, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: dcads - {61dfb262-9b45-dcd4-ca71-baa096ff57f1} - C:\WINDOWS\system32\nsuD.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: vilkle.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4770 bytes

I still have problems with internet access, and strange objects seem to appear in System32.

Katana · August 2008

panget wrote:

and strange objects seem to appear in System32.

Strange in what way ?

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

panget · August 2008

Sorry I haven't finished with combofix yet. It may take some time. Thanks.

Vundo Attack!

Comments