Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.Vundo Virus


  • Please log in to reply

#1
Gothery

Gothery

    New Member

  • Member
  • Pip
  • 1 posts
Hey, I got a trojan.vundo virus in file c:\windows\system32\nnlml.dll
I've run the symantec remover tool with no success.
I've run the hijackthis and the following is the log

Logfile of HijackThis v1.99.1
Scan saved at 16:41:43, on 13-Oct-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SynchronEyes Student 5.1\SynchronEyesSrv.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SynchronEyes Student 5.1\dax64.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\yktxihwu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\AOL\1127339562\ee\AOLHostManager.exe
C:\Program Files\Cranite\Client\clientUI.exe
C:\Program Files\Common Files\AOL\1127339562\ee\AOLServiceHost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\Common Files\AOL\1127339562\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www-internal.uscc.usma.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www-internal..../chaos_home.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www-internal.....uscc.usma.edu"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5867FD95-8197-B720-7368-3FCDA04F14B3} - C:\WINDOWS\System32\jksxlvfm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\nnlml.dll
O2 - BHO: (no name) - {830AB65E-5316-F76D-2CFC-6C2C6040DB1A} - C:\WINDOWS\system32\speesadl.dll
O2 - BHO: (no name) - {8480E5AE-18B3-B27C-4D10-3F2F6CC422E1} - C:\WINDOWS\system32\fghpqods.dll (file missing)
O2 - BHO: (no name) - {ADF11CF3-F023-AB1F-1C5E-FDEF5811CA85} - C:\WINDOWS\System32\fdpjntel.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DateTime] regedit /s D:\Support\Winky-Reg-Updates\DateTime.reg
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [crmwnrby] C:\WINDOWS\bohluhag.exe
O4 - HKLM\..\Run: [j] C:\WINDOWS\System32\vzrzmg.exe
O4 - HKLM\..\Run: [e] C:\WINDOWS\System32\vzrzmg.exe
O4 - HKLM\..\Run: [nlzbje] C:\WINDOWS\System32\fpcwtup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ahuxxoau] C:\WINDOWS\system32\ahuxxoau.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [yktxihwu] C:\WINDOWS\system32\yktxihwu.exe
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\SynchronEyes Student 5.1\MonitorService.exe"
O4 - HKLM\..\Run: [SynchronEyes 5.1 Helper Service] "C:\Program Files\SynchronEyes Student 5.1\SynchronEyesSrv.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127339562\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cranite Systems WirelessWall.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = usma.ds.army.edu
O17 - HKLM\Software\..\Telephony: DomainName = usma.ds.army.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{013B4AC4-20C3-4496-9AC9-FB4845D163F2}: Domain = usma.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{4434971C-6F1C-4BB6-A4D8-63D239A03A12}: Domain = usma.ds.army.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = usma.ds.army.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usma.ds.army.edu,ds.army.edu,usma.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = usma.ds.army.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usma.ds.army.edu,ds.army.edu,usma.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usma.ds.army.edu,ds.army.edu,usma.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: nnlml - C:\WINDOWS\system32\nnlml.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: neprgwbovepe (MsUpdate5) - Unknown owner - C:\WINDOWS\system32\msupd5.exe (file missing)
O23 - Service: yhspbrpmfrcx (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Student 5.1\MonitorService.exe
O23 - Service: SynchronEyes 5.1 Helper Service - Unknown owner - C:\Program Files\SynchronEyes Student 5.1\SynchronEyesSrv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

Thanks for your help
  • 0

Advertisements


#2
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi Gothery and welcome to Geeks To Go :)

My name is infaddict and I will be helping you with your problem. You are infected with the Vundo infection and maybe a few others, but we should be able to get you clean real quick.

As it's a few days since your original post, the nasties may have changed their names :tazz: . Therefore, please can you reply with a fresh HijackThis log and I will take a look.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP