I'm having similar symptoms as described in the Vundo post.
I've downloaded the VundoFix, but it founds nothing infected (not even after a restart).
Windows Defender keeps finding & alerting about:
Error encountered: Code 0x80508021. An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support. Category: Trojan Description: This program displays advertisements and may be difficult to remove. Advice: Remove this software immediately. Resources: clsid: HKLM\SOFTWARE\CLASSES\CLSID\{663656DF-6BAE-460C-A612-8133DF519346} clsid: HKLM\SOFTWARE\CLASSES\CLSID\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E} regkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\MSServer regkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{663656DF-6BAE-460C-A612-8133DF519346} regkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E} regkey: HKLM\SOFTWARE\CLASSES\CLSID\{663656DF-6BAE-460C-A612-8133DF519346} regkey: HKLM\SOFTWARE\CLASSES\CLSID\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E} regkey: HKCU@S-1-5-21-1741207018-4134911097-3850817977-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{663656DF-6BAE-460C-A612-8133DF519346} regkey: HKCU@S-1-5-21-1741207018-4134911097-3850817977-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E} regkey: HKCU@S-1-5-21-1741207018-4134911097-3850817977-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{663656DF-6BAE-460C-A612-8133DF519346} bho: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{663656DF-6BAE-460C-A612-8133DF519346} bho: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E} runkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\MSServer ieaddon: HKCU@S-1-5-21-1741207018-4134911097-3850817977-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{663656DF-6BAE-460C-A612-8133DF519346} ieaddon: HKCU@S-1-5-21-1741207018-4134911097-3850817977-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E} ieaddon: HKCU@S-1-5-21-1741207018-4134911097-3850817977-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{663656DF-6BAE-460C-A612-8133DF519346} lsapackage: HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\\AUTHENTICATION PACKAGES:C:\Windows\system32\xxyxYrQg file: C:\Windows\system32\ybgasvbo.dll file: C:\Windows\system32\xxyxYrQg.dll file: C:\Windows\system32\kknvdvso.dll file: C:\Windows\system32\jkkKcYSI.dll file: C:\Windows\system32\eFwTMGAR.dll file: C:\Windows\system32\byXQKcyW.dll file: C:\Windows\system32\byXPFUKe.dll file: C:\Windows\system32\aWOghFwx.dll View more information about this item onlinebut it cannot remove it...
Here is my HijacThis log file:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:11:30, on 13/6/2008 Platform: Windows Vista SP1, v.744 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.17128) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\LG Software\On Screen Display\HotKey.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Softex\OmniPass\scureapp.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\RtHDVCpl.exe C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Windows\explorer.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.huji.ac.il:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {54BDDEC9-3DDE-4B61-9816-19D6E582F13E} - C:\Windows\system32\xxyxYrQg.dll O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - C:\Windows\system32\jkkKcYSI.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [BatteryMiser 5] C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\jkkKcYSI.dll,#1 O4 - HKLM\..\Run: [BM2d87fa0e] Rundll32.exe "C:\Windows\system32\spwffmam.dll",s O4 - HKLM\..\Run: [2eb4c992] rundll32.exe "C:\Windows\system32\kalxnylm.dll",b O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user') O4 - Startup: CCC.lnk = ? O4 - Global Startup: SSH Tectia Broker.lnk = C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\OmniServ.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: XAMPP Service (XAMPP) - Unknown owner - E:\server\xampp\service.exe -- End of file - 9142 bytes
Malwarebytes' Anti-Malware (after basic scan) found 35 infected files:
Malwarebytes' Anti-Malware 1.17 Database version: 851 02:31:11 13/6/2008 mbam-log-6-13-2008 (02-31-07).txt Scan type: Quick Scan Objects scanned: 21859 Time elapsed: 9 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 3 Registry Keys Infected: 4 Registry Values Infected: 3 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 24 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Windows\System32\kalxnylm.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\xxyxYrQg.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\jkkKcYSI.dll (Trojan.Vundo) -> No action taken. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54bddec9-3dde-4b61-9816-19d6e582f13e} (Trojan.Vundo) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{54bddec9-3dde-4b61-9816-19d6e582f13e} (Trojan.Vundo) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{663656df-6bae-460c-a612-8133df519346} (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{663656df-6bae-460c-a612-8133df519346} (Trojan.Vundo) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2eb4c992 (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{663656df-6bae-460c-a612-8133df519346} (Trojan.Vundo) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxyrqg -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\Windows\System32\aWOghFwx.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\xwFhgOWa.ini (Trojan.Vundo) -> No action taken. C:\Windows\System32\xwFhgOWa.ini2 (Trojan.Vundo) -> No action taken. C:\Windows\System32\eFwTMGAR.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\RAGMTwFe.ini (Trojan.Vundo) -> No action taken. C:\Windows\System32\RAGMTwFe.ini2 (Trojan.Vundo) -> No action taken. C:\Windows\System32\kalxnylm.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\mlynxlak.ini (Trojan.Vundo) -> No action taken. C:\Windows\System32\xxyxYrQg.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\gQrYxyxx.ini (Trojan.Vundo) -> No action taken. C:\Windows\System32\gQrYxyxx.ini2 (Trojan.Vundo) -> No action taken. C:\Windows\System32\jkkKcYSI.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\byXPFUKe.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\byXQKcyW.dll (Trojan.Vundo) -> No action taken. C:\Windows\System32\khnjycsx.exe (Trojan.LowZones) -> No action taken. C:\Windows\System32\wfcrcwde.exe (Trojan.LowZones) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp0000c2f0 (Trojan.Vundo) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp0000c63b (Trojan.Vundo) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp0000cb78 (Trojan.Vundo) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp0000e3b9 (Trojan.Vundo) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp00015456 (Trojan.Vundo) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp0001889f (Trojan.Vundo) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp00024327 (Trojan.Vundo) -> No action taken. C:\Users\mtk\AppData\Local\Temp\tmp0004cbe6 (Trojan.Vundo) -> No action taken.
I took action to remove all, which required a reboot.
upon windows startup, I got this error message:
I'm running a full scan atm. will report back...
Important to mention that Windows Explorer keeps crashing & restarting itself...
Edited by Mati Kochen, 12 June 2008 - 05:42 PM.