Trojan.Vundo Virus

Hey, I got a trojan.vundo virus in file c:\windows\system32\nnlml.dll
I've run the symantec remover tool with no success.
I've run the hijackthis and the following is the log

Logfile of HijackThis v1.99.1
Scan saved at 16:41:43, on 13-Oct-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SynchronEyes Student 5.1\SynchronEyesSrv.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SynchronEyes Student 5.1\dax64.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\yktxihwu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\AOL\1127339562\ee\AOLHostManager.exe
C:\Program Files\Cranite\Client\clientUI.exe
C:\Program Files\Common Files\AOL\1127339562\ee\AOLServiceHost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\Common Files\AOL\1127339562\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www-internal.uscc.usma.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www-internal..../chaos_home.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www-internal.....uscc.usma.edu"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5867FD95-8197-B720-7368-3FCDA04F14B3} - C:\WINDOWS\System32\jksxlvfm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\nnlml.dll
O2 - BHO: (no name) - {830AB65E-5316-F76D-2CFC-6C2C6040DB1A} - C:\WINDOWS\system32\speesadl.dll
O2 - BHO: (no name) - {8480E5AE-18B3-B27C-4D10-3F2F6CC422E1} - C:\WINDOWS\system32\fghpqods.dll (file missing)
O2 - BHO: (no name) - {ADF11CF3-F023-AB1F-1C5E-FDEF5811CA85} - C:\WINDOWS\System32\fdpjntel.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DateTime] regedit /s D:\Support\Winky-Reg-Updates\DateTime.reg
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [crmwnrby] C:\WINDOWS\bohluhag.exe
O4 - HKLM\..\Run: [j] C:\WINDOWS\System32\vzrzmg.exe
O4 - HKLM\..\Run: [e] C:\WINDOWS\System32\vzrzmg.exe
O4 - HKLM\..\Run: [nlzbje] C:\WINDOWS\System32\fpcwtup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ahuxxoau] C:\WINDOWS\system32\ahuxxoau.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [yktxihwu] C:\WINDOWS\system32\yktxihwu.exe
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\SynchronEyes Student 5.1\MonitorService.exe"
O4 - HKLM\..\Run: [SynchronEyes 5.1 Helper Service] "C:\Program Files\SynchronEyes Student 5.1\SynchronEyesSrv.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127339562\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cranite Systems WirelessWall.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = usma.ds.army.edu
O17 - HKLM\Software\..\Telephony: DomainName = usma.ds.army.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{013B4AC4-20C3-4496-9AC9-FB4845D163F2}: Domain = usma.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{4434971C-6F1C-4BB6-A4D8-63D239A03A12}: Domain = usma.ds.army.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = usma.ds.army.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usma.ds.army.edu,ds.army.edu,usma.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = usma.ds.army.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usma.ds.army.edu,ds.army.edu,usma.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usma.ds.army.edu,ds.army.edu,usma.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: nnlml - C:\WINDOWS\system32\nnlml.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: neprgwbovepe (MsUpdate5) - Unknown owner - C:\WINDOWS\system32\msupd5.exe (file missing)
O23 - Service: yhspbrpmfrcx (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Student 5.1\MonitorService.exe
O23 - Service: SynchronEyes 5.1 Helper Service - Unknown owner - C:\Program Files\SynchronEyes Student 5.1\SynchronEyesSrv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

Thanks for your help

#1
Gothery

Posted 13 October 2005 - 02:47 PM

Advertisements

#2
infaddict

Posted 16 October 2005 - 08:03 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us