Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Vundo - I think... Explorer.exe crashing

Thread Solved
1 2 Last »

Join Date: Dec 2008
Posts: 16
Reputation: bmsmith25 is an unknown quantity at this point 
Solved Threads: 0
bmsmith25 bmsmith25 is offline Offline
Newbie Poster

Vundo - I think... Explorer.exe crashing

 
0
  #1
Dec 29th, 2008
Hello Experts! I think I'm finally going to need to reach out for some urgent help...

I've been working on removing this malware/virus for a few days and thought I got it. Now I'm seeing my explorer.exe process crash quite frequently.

I'm thinking there are still some lingering problems.

Any help would be greatly appreciated! Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:28 PM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\LIVEME~1\Addins\LMCAPI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\My Documents\Downloads\HiJackThis.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Explorer.exe
C:\My Documents\Downloads\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://canet.ca.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: bcs01
O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\mebarepo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\royetuki.dll",a
O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll c:\windows\system32\royetuki.dll,C:\WINDOWS\system32\linivini.dll
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\royetuki.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\royetuki.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 23102 bytes


Thanks,
Brian
Quick reply to this message  
Join Date: Aug 2007
Posts: 1,729
Reputation: Suspishio is an unknown quantity at this point 
Solved Threads: 137
Sponsor
Suspishio's Avatar
Suspishio Suspishio is offline Offline
Simples!

Re: Vundo - I think... Explorer.exe crashing

 
0
  #2
Dec 29th, 2008
If nobody else replies with one of the "standard" methods you'll find in most threads, and since you've been working on this for a few days (the way I would have), you cold do worse than search the forum using the term "Virtunonde" (which I delibrately mispelt so that it could be easiy searcghed on).

This provides structure to what you're trying to accomplish. It needs a second PC with your infected disk in a USB enclosure.

Let us know what you decide to do.
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
Quick reply to this message  
Join Date: Feb 2004
Posts: 10,057
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 762
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Vundo - I think... Explorer.exe crashing

 
0
  #3
Dec 29th, 2008
Hi and welcome to the Daniweb forums .

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Quick reply to this message  
Join Date: Dec 2008
Posts: 16
Reputation: bmsmith25 is an unknown quantity at this point 
Solved Threads: 0
bmsmith25 bmsmith25 is offline Offline
Newbie Poster

Re: Vundo - I think... Explorer.exe crashing

 
0
  #4
Dec 29th, 2008
Hey Crunchie - Thanks for the welcome. Sorry for not including in original post, but the first thing I tried was using CA's Anti-virus software. That didn't do the trick. Next I tried AVG - that found some stuff, but didn't remove everything. Then I tried Malwarebytes's. That seemed to have done the trick, but after a reboot, still had some pop-ups... I have since uninstalled all of the above software (this is all prior to this post).

However, since posting today, I installed avira free anti-virus. That found it and to this point (a few hours) has seemed to have done the trick. I don't know if I can be sure or not.

If you have any recommendations how to be sure, then they are appreciated.

Nonetheless - I very much thank everyone for responding.

Here is the very latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:12 PM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Documents\Downloads\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://canet.ca.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: bcs01
O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\guratayo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll C:\WINDOWS\system32\linivini.dll c:\windows\system32\gorumiba.dll
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 22960 bytes


Thanks!
Brian
Quick reply to this message  
Join Date: Feb 2004
Posts: 10,057
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 762
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Vundo - I think... Explorer.exe crashing

 
0
  #5
Dec 29th, 2008
You are still highly infected judging by your hijackthis log. I would appreciate it if you simply followed my advice above .
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Quick reply to this message  
Join Date: Aug 2007
Posts: 1,729
Reputation: Suspishio is an unknown quantity at this point 
Solved Threads: 137
Sponsor
Suspishio's Avatar
Suspishio Suspishio is offline Offline
Simples!

Re: Vundo - I think... Explorer.exe crashing

 
0
  #6
Dec 30th, 2008
Just to add to Crunchie's advice, comparing HJT logs, your situation has worsened as evidenced by these entries (at least):

O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll

O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)


O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\guratayo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKUS\S-1-5-19\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll C:\WINDOWS\system32\linivini.dll c:\windows\system32\gorumiba.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
Quick reply to this message  
Join Date: Jul 2008
Posts: 3,059
Reputation: jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all 
Solved Threads: 174
Moderator
Featured Poster
jholland1964 jholland1964 is offline Offline
Posting Sensei

Re: Vundo - I think... Explorer.exe crashing

 
0
  #7
Jan 2nd, 2009
Not meaning to "step on toes" here but caperjack has informed me you have a double post going here
http://www.daniweb.com/forums/post76...tml#post769217
and since I didn't realize this and don't know if you will go back to the other thread I wanted to post this in this one also.
You note in this thread right here that you have tried multiple anti-virus programs, including CA, AVG, and also Avira. I didn't have this information in my post to you in the other thread, but there also I noticed in your log posted there that you currently have CA running and also Norton.
You obviously are not uninstalling all of these anti-virus programs completely. You must UNINSTALL all of these except one of them. Running more than one at a time will certainly complicate your problems.
I am not certain what two HJT logs that Suspishio is comparing, the two I see here are pretty much the same.
I will repeat here some of what I posted in the other thread since we don't know which one the poster is checking on;
The first thing I notice in your HJT log is that you are running two anti-virus programs, eTrust and Norton. This is an absolute NO-NO. The RULE is ONE anti-virus program running on a computer. One of these must be totally Uninstalled Immediately.
The second thing...did you personally add all of these Trusted Sites? I have tried them all and none of them can be found. I you personally did not add these then they should be fixed using HiJackThis.
You are running an extraordinarily large number of programs at once.
There are a large a number of programs I have never seen before and ones I cannot find information about, except google searches which come up with malware forums noting the same programs. But since I cannot find information on the majority of them I am at a loss to tell you what to stop.
Judy
Quick reply to this message  
Join Date: Dec 2008
Posts: 16
Reputation: bmsmith25 is an unknown quantity at this point 
Solved Threads: 0
bmsmith25 bmsmith25 is offline Offline
Newbie Poster

Re: Vundo - I think... Explorer.exe crashing

 
0
  #8
Jan 2nd, 2009
Originally Posted by crunchie View Post
You are still highly infected judging by your hijackthis log. I would appreciate it if you simply followed my advice above .
Crunchie - Here is my malwarebytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1585
Windows 5.1.2600 Service Pack 2

12/31/2008 1:23:12 PM
mbam-log-2008-12-31 (13-23-12).txt

Scan type: Full Scan (C:\|D:\|S:\|X:\|)
Objects scanned: 527700
Time elapsed: 56 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hejitavo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jarugede.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lojaloke.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65940327-f4c6-4b9a-ad8a-3456d6272b1a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{65940327-f4c6-4b9a-ad8a-3456d6272b1a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\derazusame (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e472ab28 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpme74198b4 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hejitavo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hejitavo.dll
Quick reply to this message  
Join Date: Dec 2008
Posts: 16
Reputation: bmsmith25 is an unknown quantity at this point 
Solved Threads: 0
bmsmith25 bmsmith25 is offline Offline
Newbie Poster

Re: Vundo - I think... Explorer.exe crashing

 
0
  #9
Jan 2nd, 2009
Originally Posted by Suspishio View Post
Just to add to Crunchie's advice, comparing HJT logs, your situation has worsened as evidenced by these entries (at least):

O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll

O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)


O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\guratayo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKUS\S-1-5-19\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll C:\WINDOWS\system32\linivini.dll c:\windows\system32\gorumiba.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
Thanks Suspishio. I'm definitely aware of the infection. Trying like crazy to remove.

Brian
Quick reply to this message  
Join Date: Jul 2008
Posts: 3,059
Reputation: jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all 
Solved Threads: 174
Moderator
Featured Poster
jholland1964 jholland1964 is offline Offline
Posting Sensei

Re: Vundo - I think... Explorer.exe crashing

 
0
  #10
Jan 2nd, 2009
Brian, can you run a new HJT scan and post that here?
Judy
Quick reply to this message  
Closed Thread
1 2 Last »

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC