Virtumone / Vundu

[Eon83]

Hei.

 

Sliter litt med popup og missing .dll filer når jeg starter maskinen. Kjørte ad-aware og "fjernet" det, kjørte en ny scan og så var det tilbake.

 

Når jeg rebootet kom ingen av de .dll fil problemene.

 

Kan noen lese ut av loggene og se om jeg er kvitt det, og hvis ikke hva jeg må gjøre for å blir det?

 

Takk

 

Hijack

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:43:50, on 01.07.2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\rundll32.exe

C:\Program Files\Lavasoft\Ad-Aware\LSUpdateManager.exe

C:\Users\Administrator\Desktop\vundo\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\bYOigGyv.dll,#1

O4 - HKLM\..\Run: [f02caab0] rundll32.exe "C:\Windows\system32\mksktdso.dll",b

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [bMf31f992c] Rundll32.exe "C:\Windows\system32\dwlditlr.dll",s

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O13 - Gopher Prefix:

O15 - ESC Trusted Zone: http://a248.e.akamai.net

O15 - ESC Trusted Zone: http://*.cetrk.com

O15 - ESC Trusted Zone: http://i.i.com.com

O15 - ESC Trusted Zone: http://bwp.download.com

O15 - ESC Trusted Zone: http://www.download.com

O15 - ESC Trusted Zone: http://www.google-analytics.com

O15 - ESC Trusted Zone: http://www.google.no

O15 - ESC Trusted Zone: http://free.grisoft.com

O15 - ESC Trusted Zone: http://counter.hitslink.com

O15 - ESC Trusted Zone: http://runonce.msn.com

O15 - ESC Trusted Zone: http://ssl-hints.netflame.cc

O15 - ESC Trusted Zone: http://opera.nsc.no

O15 - ESC Trusted Zone: http://www.opera.com

O15 - ESC Trusted Zone: http://*.utorrent.com

O15 - ESC Trusted Zone: http://*.windowsupdate.com

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{D2B377CF-1097-4025-85D6-F0C5CBF34563}: NameServer = 10.0.0.138

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

--

End of file - 4052 bytes

 

 

Combo

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-06-30.2 - Administrator 2008-07-01 22:44:53.1 - NTFSx86

Microsoft® Windows Server® 2008 Enterprise 6.0.6001.1.1252.1.1033.18.1154 [GMT 2:00]

Running from: C:\Users\Administrator\Desktop\vundo\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Windows\system32\anvxsd.dll

C:\Windows\system32\bnbwhvpg.dll

C:\Windows\system32\bYOigGyv.dll

C:\Windows\system32\clinocwe.dll

C:\Windows\system32\dwlditlr.dll

C:\Windows\system32\fydwtahx.ini

C:\Windows\system32\hkohieng.ini

C:\Windows\system32\hPVxbbIi.ini

C:\Windows\System32\hPVxbbIi.ini2

C:\Windows\system32\iIbbxVPh.dll

C:\Windows\System32\IjPonnmp.ini

C:\Windows\System32\IjPonnmp.ini2

C:\Windows\System32\IPqAJPVw.ini

C:\Windows\System32\IPqAJPVw.ini2

C:\Windows\system32\mpokhwyn.dll

C:\Windows\System32\NXIRYyay.ini

C:\Windows\System32\NXIRYyay.ini2

C:\Windows\system32\osdtkskm.ini

C:\Windows\system32\QqAGOqss.ini

C:\Windows\System32\QqAGOqss.ini2

C:\Windows\system32\rwcznj.dll

C:\Windows\system32\ssqOGAqQ.dll

C:\Windows\system32\uhclwjda.dll

C:\Windows\system32\vnugdclo.dll

C:\Windows\system32\wVPJAqPI.dll

C:\Windows\system32\yayYRIXN.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))

.

 

2008-07-01 21:48 . 2008-07-01 21:55 <DIR> d-------- C:\Users\All Users\Lavasoft

2008-07-01 21:48 . 2008-07-01 21:55 <DIR> d-------- C:\ProgramData\Lavasoft

2008-07-01 21:48 . 2008-07-01 21:48 <DIR> d-------- C:\Program Files\Lavasoft

2008-07-01 21:48 . 2008-07-01 21:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-06-29 18:39 . 2008-06-29 18:40 <DIR> d-------- C:\php

2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Users\All Users\Symantec

2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\ProgramData\Symantec

2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Program Files\Symantec AntiVirus

2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Program Files\Symantec

2008-06-29 16:21 . 2008-06-29 16:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared

2008-06-29 16:21 . 2008-06-29 16:21 109,744 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS

2008-06-29 16:21 . 2008-06-29 16:21 8,014 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT

2008-06-29 16:21 . 2008-06-29 16:21 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF

2008-06-29 13:07 . 2008-06-29 13:07 <DIR> d-------- C:\kav

2008-06-29 12:08 . 2008-06-29 12:08 <DIR> d-------- C:\Program Files\Alwil Software

2008-06-29 12:08 . 2003-03-18 21:20 1,060,864 --a------ C:\Windows\System32\MFC71.dll

2008-06-29 12:08 . 2003-03-18 20:14 499,712 --a------ C:\Windows\System32\MSVCP71.dll

2008-06-29 12:08 . 2003-02-21 04:42 348,160 --a------ C:\Windows\System32\MSVCR71.dll

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Videos

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Searches

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Saved Games

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Pictures

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Music

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Links

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Downloads

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Documents

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> dr------- C:\Users\ftp\Contacts

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> d--h----- C:\Users\ftp\AppData

2008-06-29 11:41 . 2008-06-29 11:41 <DIR> d-------- C:\Users\ftp

2008-06-28 23:38 . 2008-06-28 23:40 <DIR> d-------- C:\Users\Jostein\AppData\Roaming\uTorrent

2008-06-28 13:19 . 2008-07-01 22:46 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\uTorrent

2008-06-28 13:19 . 2008-06-28 13:19 <DIR> d-------- C:\Program Files\uTorrent

2008-06-28 13:19 . 2008-06-28 13:19 <DIR> d-------- C:\Program Files\Opera

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Videos

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Searches

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Saved Games

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Pictures

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Music

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Links

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Downloads

2008-06-24 20:31 . 2008-06-24 20:32 <DIR> dr------- C:\Users\Jostein\Documents

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> dr------- C:\Users\Jostein\Contacts

2008-06-24 20:31 . 2008-06-24 20:31 <DIR> d--h----- C:\Users\Jostein\AppData

2008-06-24 20:31 . 2008-06-25 22:07 <DIR> d-------- C:\Users\Jostein

2008-06-24 19:32 . 2008-04-26 10:08 1,314,816 --a------ C:\Windows\System32\quartz.dll

2008-06-24 19:30 . 2008-06-24 19:30 <DIR> d-------- C:\inetpub

2008-06-24 19:10 . 2008-06-24 19:10 0 --a------ C:\Windows\ativpsrm.bin

2008-06-24 19:09 . 2008-07-01 21:54 <DIR> d--hs---- C:\Windows\Installer

2008-06-24 19:09 . 2008-06-24 19:09 <DIR> d-------- C:\Program Files\ATI

2008-06-24 19:09 . 2007-12-21 04:33 3,107,788 --a------ C:\Windows\System32\atiumdva.dat

2008-06-24 19:09 . 2007-12-21 05:02 368,640 --a------ C:\Windows\System32\ATIDEMGX.dll

2008-06-24 19:09 . 2006-08-24 00:26 328,162 --a------ C:\Windows\System32\drivers\ativcaxx.cpa

2008-06-24 19:09 . 2007-09-09 05:37 52,400 --a------ C:\Windows\System32\drivers\ativvpxx.vp

2008-06-24 19:09 . 2007-11-20 10:23 11,874 --a------ C:\Windows\atiogl.xml

2008-06-24 19:09 . 2007-05-30 18:37 2,096 --a------ C:\Windows\System32\drivers\ativpkxx.vp

2008-06-24 19:09 . 2007-05-30 18:37 2,096 --a------ C:\Windows\System32\drivers\ativokxx.vp

2008-06-24 19:09 . 2007-04-18 15:19 2,096 --a------ C:\Windows\System32\drivers\ativdkxx.vp

2008-06-24 19:09 . 2006-08-24 00:26 929 --a------ C:\Windows\System32\drivers\ativcaxx.vp

2008-06-24 19:08 . 2008-06-24 19:08 <DIR> d-------- C:\Program Files\ATI Technologies

2008-06-24 19:01 . 2008-06-24 19:02 <DIR> d-------- C:\Repository

2008-06-24 18:55 . 2008-02-29 06:21 2,032,128 --a------ C:\Windows\System32\win32k.sys

2008-06-24 18:55 . 2008-04-25 04:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb

2008-06-24 18:55 . 2008-04-25 06:35 826,880 --a------ C:\Windows\System32\wininet.dll

2008-06-24 18:55 . 2008-02-22 06:57 295,936 --a------ C:\Windows\System32\gdi32.dll

2008-06-24 18:55 . 2008-05-10 03:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-16 09:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe

2008-01-19 11:41 174 --sha-w C:\Program Files\desktop.ini

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-06-28 13:19 266544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]

"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

"disablecad"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ShowSuperHidden"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]

"DisableStatefulFTP"= 1 (0x1)

"DisableStatefulPPTP"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{7720B70E-5C70-4D12-8842-4C168A45A2FA}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)

"{9CFC3F98-966A-43EC-B49A-2515337AA3E7}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

"{6CAE79C5-A9FE-406A-8377-D651BBA22AA6}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus

"{416D7A4E-CEB0-4560-BA9E-09D6BA78BD58}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus

"{39B13D74-2ED0-4851-8E18-54DDA1BD0ED9}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email

"{243F04DA-BDEA-44AA-98D5-C96BE08DF246}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"DisableNotifications"= 1 (0x1)

 

R0 storflt;Disk VMBUS Acceleration Filter Driver;C:\Windows\system32\drivers\storflt.sys [2008-01-19 13:23]

R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-21 05:55]

S0 sacdrv;sacdrv;C:\Windows\system32\DRIVERS\sacdrv.sys [2008-01-19 13:23]

S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;C:\Windows\system32\svchost.exe [2008-01-19 09:33]

S3 RSoPProv;Resultant Set of Policy Provider;C:\Windows\system32\RSoPProv.exe [2008-01-19 13:24]

S3 sacsvr;Special Administration Console Helper;C:\Windows\System32\svchost.exe [2008-01-19 09:33]

S4 b06bdrv;Broadcom NetXtreme II VBD;C:\Windows\system32\drivers\bxvbdx.sys [2008-01-19 13:23]

S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-19 07:32]

S4 ioatdma;Intel® QuickData Technology Device;C:\Windows\system32\drivers\qd26032.sys [2008-01-19 13:23]

S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-19 09:43]

S4 s3cap;Microsoft Emulated S3 Device Cap Driver;C:\Windows\system32\drivers\s3cap.sys [2008-01-19 13:23]

S4 storvsc;storvsc;C:\Windows\system32\drivers\storvsc.sys [2008-01-19 13:23]

S4 UMPass;Microsoft UMPass Driver;C:\Windows\system32\drivers\umpass.sys [2008-01-19 07:53]

S4 vmbus;VMBus;C:\Windows\system32\drivers\vmbus.sys [2008-01-19 13:23]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

TapiSrv REG_MULTI_SZ TapiSrv

GPSvcGroup REG_MULTI_SZ GPSvc

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

sacsvr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted

FCRegSvc

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec08d918-bf12-11db-88aa-806e6f6e6963}]

\shell\AutoRun\command - D:\Launch.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

%systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]

%systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-f02caab0 - C:\Windows\system32\mksktdso.dll

HKLM-Run-BMf31f992c - C:\Windows\system32\dwlditlr.dll

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-01 22:50:47

Windows 6.0.6001 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Windows\System32\LogonUI.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Windows\System32\audiodg.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Windows\System32\inetsrv\inetinfo.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\rdpclip.exe

C:\Windows\System32\conime.exe

.

**************************************************************************

.

Completion time: 2008-07-01 22:51:57 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-01 20:51:53

 

Pre-Run: 28,380,368,896 bytes free

Post-Run: 28,287,692,800 bytes free

 

201 --- E O F --- 2008-06-24 17:32:42

 

[norbat]

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\bYOigGyv.dll,#1

O4 - HKLM\..\Run: [f02caab0] rundll32.exe "C:\Windows\system32\mksktdso.dll",b

O4 - HKLM\..\Run: [bMf31f992c] Rundll32.exe "C:\Windows\system32\dwlditlr.dll",s

 

 

Kjør en quick scan med gratisversjonen til SAS

Hvis det blir funnet noe annet en cookies, post loggen (preferences->statistics/logs).