Help Needed! Trojan.vundo - Popsups Etc!

Hey guys.


Im loosing my mind here. Im running windows xp pro, fully updated, and McAfee Enterprise fully updated and have been free of any malicious software for several years. However all good things apparently must come to an and, a few days ago i started getting random adverticement popups and having my PC slow down immensely.


I've been through zounds of forums and tried everything i could think of, scanned with Norton, ad-aware, mcafee, and a bunch of other cleaners, without success both in normal mode and safemode, used Autoruns to try to locate the offender etc.


I seem to have it narrowed down to a .dll in my system32 folder, which has attached itself to the lsass.exe file. The DLL is called ddcyrqhf.dll however im guessing thats just a random generated name. As it also seems to be related to another crud dll called rjmatal.dll, which is in system32 folder as well.


Having added the dll to mcafees unwanted programs list manually im able to stop the popups, however i can see the little devil trying to start every 5sec or so in my log file. McAfee detects and deletes 95% of the incidents, and deletes them, but it cannot delete the .dlls as lsass.exe is keeping them "alive".


At the same time, that same dll seems to be creating randomly named Add-on processes in my iexplore, which prevents me from using for example google and several other websites. I presume the real culprit isnt the dll itself, but some hidden malware opening the flodgates for Vundo and other malicious software, however i havent been able to locate the root of the problem, hence why im here begging for your assistance!


It might possibly be affecting my explorer.exe as that seems to be guzzling resources like a madman, whether thats due to the infection in lsass.exe or not is beyond my meager abilities to determine.


I wont bore you with results from various removal software, other than to say that Vundofix and such have been run several times. The computer is of course currently taken off its netaccess and restore points turned off, so im writing from my, so far, clean laptop.


Below is the Hijackthis log. Please let me know if there is any other logs or info you need. I pray you can help me out! Thanks a million in advance. Ill go sharpen the stake for when fate leads me to the creators of this malware while you contemplate your words of wisdom.


Hijackathis Logfile:


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 20:24:17, on 16-07-2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16674)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


C:\Program Files\McAfee\Common Framework\FrameworkService.exe


C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe


C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe


C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe


C:\WINDOWS\system32\nvsvc32.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\system32\rundll32.exe


C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe


C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


C:\Program Files\McAfee\Common Framework\UdaterUI.exe


C:\Program Files\McAfee\Common Framework\McTray.exe


C:\WINDOWS\RTHDCPL.EXE


C:\WINDOWS\system32\RUNDLL32.EXE


C:\WINDOWS\system32\rundll32.exe


C:\Program Files\Messenger\msmsgs.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Download\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nvidia.com/


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer


O2 - BHO: (no name) - {0391A999-5EEF-4EB3-B2DD-B4DA3D029DA6} - C:\WINDOWS\system32\ddcYrQhF.dll


O2 - BHO: (no name) - {62D6DDA7-8FE9-47F1-B8E9-D1D0D3D9FF3A} - C:\WINDOWS\system32\ddcAsrPf.dll (file missing)


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll


O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll


O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll


O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll


O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"


O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"


O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup


O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE


O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey


O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE


O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [bMa76ce4e8] Rundll32.exe "C:\WINDOWS\system32\rjymatal.dll",s


O4 - HKLM\..\Run: [a45fd774] rundll32.exe "C:\WINDOWS\system32\aljwrfai.dll",b


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')


O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')


O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm


O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm


O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm


O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe


O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe


O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab


O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab


O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab


O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab


O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144012090421


O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab


O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab


O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab


O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/er...eInstall_dk.cab


O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab


O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab


O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\


O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe


O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe


O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe


O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe


O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--


End of file - 9191 bytes

Comments

  • Hello Chomsky30,


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.


    Kind regards,


    Niels

  • Howdy! Here you go:


    ComboFix 08-07-13.14 - Administrator 2008-07-17 22:34:17.2 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1629 [GMT 2:00]


    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix1.exe


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    ---- Previous Run -------


    .


    C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\RHP7LKKV\iforex.com


    C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\RHP7LKKV\iforex.com\Emerp\Events\flash_object.swf\user_data.sol


    C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com


    C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol


    C:\WINDOWS\cookies.ini


    C:\WINDOWS\pskt.ini


    C:\WINDOWS\system32\aljwrfai.dll


    C:\WINDOWS\system32\ddcYrQhF.dll


    C:\WINDOWS\system32\didkepiw.ini


    C:\WINDOWS\system32\FhQrYcdd.ini


    C:\WINDOWS\system32\FhQrYcdd.ini2


    C:\WINDOWS\system32\hbduykru.dll


    C:\WINDOWS\system32\iafrwjla.ini


    C:\WINDOWS\system32\khbfbcvg.ini


    C:\WINDOWS\system32\mcrh.tmp


    C:\WINDOWS\system32\onpoysut.ini


    C:\WINDOWS\system32\prixqges.ini


    C:\WINDOWS\system32\qhaxdwds.ini


    C:\WINDOWS\system32\xarpwtaa.ini


    C:\WINDOWS\system32\xdtgfeth.ini


    C:\WINDOWS\system32\xindirxf.ini


    C:\WINDOWS\system32\yyeyorah.dll


    .


    ((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))


    .


    2008-07-16 00:32 . 2008-07-16 00:32 <DIR> d-------- C:\VundoFix Backups


    2008-07-14 16:46 . 2008-07-15 20:12 110,428 --a------ C:\WINDOWS\BMa76ce4e8.xml


    2008-07-13 15:58 . 2008-07-13 16:59 <DIR> d-------- C:\Program Files\RM Converter


    2008-07-10 18:54 . 2008-07-10 18:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn


    2008-07-10 18:54 . 2008-07-10 18:54 1,409 --a------ C:\WINDOWS\QTFont.for


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-07-15 22:30 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-07-15 22:26 --------- d-----w C:\Program Files\DAEMON Tools Pro


    2008-07-09 18:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\temp


    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll


    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys


    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys


    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys


    2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys


    2008-05-24 15:21 --------- d-----w C:\Program Files\FlashFXP


    2008-05-19 14:58 --------- d-----w C:\Program Files\Java


    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll


    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll


    2008-02-01 20:08 1 ----a-w C:\Documents and Settings\Administrator\SI.bin


    2005-05-13 15:12 217,073 --sha-r C:\WINDOWS\meta4.exe


    2005-10-24 09:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe


    2005-10-13 19:27 422,400 --sha-r C:\WINDOWS\x2.64.exe


    2005-10-07 17:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll


    2005-07-14 10:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll


    2005-06-26 13:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll


    2005-06-21 20:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll


    2004-01-24 22:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll


    2006-04-27 08:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll


    2005-02-28 11:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe


    2004-01-24 22:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62D6DDA7-8FE9-47F1-B8E9-D1D0D3D9FF3A}]


    C:\WINDOWS\system32\ddcAsrPf.dll [bU]


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]


    "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]


    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]


    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 07:03 221184]


    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 07:03 81920]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05 8429568]


    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 09:50 112216]


    "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 14:39 136768]


    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-20 06:05 81920]


    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]


    "BMa76ce4e8"="C:\WINDOWS\system32\rjymatal.dll" [bU]


    "a45fd774"="C:\WINDOWS\system32\aljwrfai.dll" [bU]


    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]


    "nwiz"="nwiz.exe" [2007-04-20 06:05 1626112 C:\WINDOWS\system32\nwiz.exe]


    "RTHDCPL"="RTHDCPL.EXE" [2005-05-26 00:37 14477312 C:\WINDOWS\RTHDCPL.EXE]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    "RunNarrator"="Narrator.exe" [2004-08-04 14:00 53760 C:\WINDOWS\system32\narrator.exe]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]


    "DisableCAD"= 1 (0x1)


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]


    "NoViewOnDrive"= 0 (0x0)


    "NoLogoff"= 0 (0x0)


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]


    ddcAsrPf.dll [bU]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


    "vidc.I420"= i420vfw.dll


    "vidc.yv12"= yv12vfw.dll


    "VIDC.X264"= x264vfw.dll


    "VIDC.HFYU"= huffyuv.dll


    "vidc.i263"= i263_32.drv


    "msacm.l3fhg"= mp3fhg.acm


    "msacm.divxa32"= divxa32.acm


    "msacm.imc"= imc32.acm


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusDisableNotify"=dword:00000001


    "UpdatesDisableNotify"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "C:\\Program Files\\FlashFXP\\flashfxp.exe"= C:\\Program Files\\FlashFXP\\FlashFXP.exe


    "C:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "C:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=


    "C:\\WINDOWS\\system32\\dpvsetup.exe"=


    "C:\\Program Files\\ASUS\\ASUSUpdate\\Update.exe"=


    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=


    "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=


    "C:\\Program Files\\support.com\\TDCKabel\\hcenter.exe"=


    "C:\\Program Files\\support.com\\bin\\tgcmd.exe"=


    "C:\\WINDOWS\\system32\\sessmgr.exe"=


    "C:\\Program Files\\MSN Messenger\\livecall.exe"=


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "6882:TCP"= 6882:TCP:*:Disabled:imesh


    S3 Atmoppy;Atmoppy;C:\WINDOWS\system32\drivers\ipsec.sys [2004-08-04 14:00]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f11bb1-c288-11da-b1d4-806d6172696f}]


    \Shell\AutoRun\command - Z:\ASUSACPI.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bcd01cc-f038-11db-a2a4-0013d46a1d6a}]


    \Shell\AutoRun\command - J:\startup.exe


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-07-16 18:19:05 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job"


    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-07-17 22:35:28


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-07-17 22:36:26


    ComboFix-quarantined-files.txt 2008-07-17 20:36:18


    Pre-Run: 6,867,128,320 bytes free


    Post-Run: 6,854,365,184 bytes free


    158 --- E O F --- 2008-07-12 04:56:14

  • Combofix solved the problem and i've been able to remove the last remains with hijackthis afterwards, so my PC is now back in shape! Thanks alot for your help, feel free to close or archieve this topic!


    Best regards!

  • Hi All,


    I've got the same ###### trojan but I'm going to read all this log before positing any details. I'm sure following the advice will help sort it.


    However, I would like to know what BitDefender is doing about this malicous code?


    Just having purchased BitDefender yestereday I was alarmed but not surprised to see taht I had a virus it could not remove. Can any of the mediators or BD team assure me that they are onto this?


    I appreciate it takes time to react to such threats but some assureance that this trojan will become a thing of the past for BitDefender clients would be reassuring.


    Thanks,

  • This family (Vundo) is constantly morphing. We try our best to keep up with it. However if you have samples for it and can send them to us, we'll add detection quickly.


    Best regards.