Trojan - rundll32

  1. 23-05-2008  #1
    Mimsky
    Mimsky is offline Newbie

    Trojan - rundll32

    Hi All,

    Badly need your help regarding my PC. I'm constantly getting pop ups and i think I have an adware on my computer. I've run the hijack software and here's the log. Thanks in advance for the help!

    Logfile of HijackThis v1.99.1
    Scan saved at 6:01:00 PM, on 5/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\wdnpsvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec\Ghost\ngctw32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\DOCUME~1\VillavCG\LOCALS~1\Temp\SARClient2.001. exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\VillavCG\Local Settings\Temporary Internet Files\Content.IE5\MTCDFSTB\hijackthis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENPH/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENPH/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vaprodapp.interprise.com/rchc
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENPH/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = monitored by Sykes K-Pointe IT
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://PHMNL5ISA001:8080/array.dll?Get.Routing.Script
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.199.65.53:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 65.54.*.*;<local>
    O1 - Hosts: 155.70.35.127 theq.qwest.net
    O1 - Hosts: 155.70.35.127 qtomaqw08.ad.qintra.com
    O1 - Hosts: 67.32.8.176 qwest.innotrac.com
    O1 - Hosts: 67.41.36.187 tools1.qmoc.com
    O1 - Hosts: 67.41.36.187 nettools1.boisedslmoc.com
    O1 - Hosts: 137.108.10.32 PWS5.USWC.USWEST.COM
    O1 - Hosts: 137.108.10.32 PWS5.USWC.USWEST.COM
    O1 - Hosts: 137.108.10.32 pws6.uswc.uswest.com
    O1 - Hosts: 137.108.10.32 pws8.uswc.uswest.com
    O1 - Hosts: 137.108.10.32 ncs.uswc.uswest.com
    O1 - Hosts: 151.117.64.246 lno.uswc.uswest.com
    O1 - Hosts: 151.117.64.245 pws1
    O1 - Hosts: 151.117.64.245 pws1.uswc.uswest.com
    O1 - Hosts: 151.116.4.14 ecom.uswc.uswest.com
    O1 - Hosts: 151.116.4.14 loop-qual.uswc.uswest.com
    O1 - Hosts: 151.116.199.30 IM035
    O1 - Hosts: 151.116.199.30 sy7s3270.uswc.uswest.com
    O1 - Hosts: 151.116.2.225 infogate.uswc.uswest.com
    O1 - Hosts: 151.116.2.225 net.uswc.uswest.com
    O1 - Hosts: 151.116.1.146 compliance.uswc.uswest.com
    O1 - Hosts: 151.117.64.241 cp-test.uswc.uswest.com
    O1 - Hosts: 151.117.20.68 HPOMP521.USWC.USWEST.COM
    O1 - Hosts: 151.117.20.69 hpomt522.uswc.uswest.com
    O1 - Hosts: 151.117.20.70 HPOMP532.USWC.USWEST.COM
    O1 - Hosts: 151.117.20.90 HPOMP533.USWC.USWEST.COM
    O1 - Hosts: 151.117.53.105 IPRD
    O1 - Hosts: 151.117.53.167 IM005
    O1 - Hosts: 151.117.35.6 ecom2.uswc.uswest.com
    O1 - Hosts: 151.117.97.209 emd.uswc.uswest.com
    O1 - Hosts: 151.117.80.102 iop-ne2.uswc.uswest.com
    O1 - Hosts: 151.117.80.165 iclarproddb
    O1 - Hosts: 151.117.109.217 FACCHK-W.USWC.USWEST.COM
    O1 - Hosts: 151.117.109.217 FACCHK-e.USWC.USWEST.COM
    O1 - Hosts: 151.117.109.217 notations-W.USWC.USWEST.COM
    O1 - Hosts: 151.117.109.217 notations-e.USWC.USWEST.COM
    O1 - Hosts: 151.119.86.35 productcatalog.uswc.uswest.com
    O1 - Hosts: 151.119.86.35 productcatalog
    O1 - Hosts: 151.119.86.35 sudnp034.uswc.uswest.com
    O1 - Hosts: 151.119.86.36 sudnp049.uswc.uswest.com
    O1 - Hosts: 151.119.86.44 qserv.uswc.uswest.com
    O1 - Hosts: 151.119.119.74 infobuddy.uswc.uswest.com
    O1 - Hosts: 151.119.158.23 emedia.uswc.uswest.com
    O1 - Hosts: 151.119.177.87 notations-C.USWC.USWEST.COM
    O1 - Hosts: 151.119.177.87 FACCHK-C.USWC.USWEST.COM
    O1 - Hosts: 151.119.215.105 telweb03
    O1 - Hosts: 155.70.28.94 altpath.qwest.com
    O1 - Hosts: 155.70.35.97 INTERPRISE.COM
    O1 - Hosts: 155.70.35.98 ACMSPJV1.INTERPRISE.COM
    O1 - Hosts: 155.70.35.99 iadenfs02
    O1 - Hosts: 155.70.35.99 IADENFS02.USWC.USWEST.COM
    O1 - Hosts: 155.70.35.100 DORADO.INTERPRISE.COM
    O1 - Hosts: 155.70.35.101 PROXY.INTERPRISE.COM
    O1 - Hosts: 155.70.35.102 CLARIFY.INTERPRISE.COM
    O1 - Hosts: 155.70.35.103 ds1.uswest.net
    O1 - Hosts: 155.70.35.103 ds1.oss.uswest.net
    O1 - Hosts: 155.70.35.104 nimitz.interprise.com
    O1 - Hosts: 155.70.35.105 teams.interprise.com
    O1 - Hosts: 155.70.35.105 iamspiis01
    O1 - Hosts: 155.70.35.106 acmspjv2.interprise.com
    O1 - Hosts: 155.70.35.128 Qshare
    O1 - Hosts: 155.70.35.165 dslcenters
    O1 - Hosts: 155.70.35.232 ebilling-repsweb.qintra.com
    O1 - Hosts: 155.70.62.197 qtomadsl1.dev.qintra.com
    O1 - Hosts: 155.70.137.206 webmail.qwest.com
    O1 - Hosts: 155.70.25.126 qtomanetac27.ad.qintra.com
    O1 - Hosts: 155.70.25.126 ithd.qwest.net
    O1 - Hosts: 155.70.35.165 ntdcentereval
    O1 - Hosts: 155.70.35.165 NTDCenterEval.ad.qintra.com
    O1 - Hosts: 155.70.35.165 NTDCenterTraining.ad.qintra.com
    O1 - Hosts: 160.33.26.98 partners.sonypictures.com
    O1 - Hosts: 151.117.24.16 vaprodapp.interprise.com
    O1 - Hosts: 151.117.24.16 vaprodapp
    O1 - Hosts: 172.28.58.226 ds1.interprise.com
    O1 - Hosts: 204.147.80.88 my.qwest.net
    O1 - Hosts: 204.147.85.106 regprod1.oss.uswest.net
    O1 - Hosts: 204.147.85.150 saba.oss.uswest.net
    O1 - Hosts: 204.147.85.151 WWW.OSS.USWEST.NET
    O1 - Hosts: 204.147.86.69 donald.oss.uswest.net
    O1 - Hosts: 204.147.86.69 oraname2.oss.uswest.net
    O1 - Hosts: 204.147.86.75 oraname1.oss.uswest.net
    O1 - Hosts: 204.147.86.75 mars.oss.uswest.net
    O1 - Hosts: 204.147.86.79 isopsprod.oss.uswest.net
    O1 - Hosts: 204.147.86.79 iclarprod
    O1 - Hosts: 204.147.86.79 oraname3.oss.uswest.net
    O1 - Hosts: 155.70.35.60 rceprod1
    O1 - Hosts: 155.70.99.242 rceprod3
    O1 - Hosts: 155.70.99.243 rceprod2
    O1 - Hosts: 155.70.99.244 rceprod4
    O1 - Hosts: 155.70.35.60 rceprod1.qintra.com
    O1 - Hosts: 155.70.99.242 rceprod3.qintra.com
    O1 - Hosts: 155.70.99.243 rceprod2.qintra.com
    O1 - Hosts: 155.70.99.244 rceprod4.qintra.com
    O1 - Hosts: 151.117.121.180 SUOMP09H.QINTRA.COM
    O1 - Hosts: 155.70.98.39 LXDND698.DEV.QINTRA.COM
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3F5BFDDA-A730-49A3-B9F3-044E61C381A3} - C:\WINDOWS\system32\tuvUOHwW.dll
    O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\tuVnNdEt.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
    O4 - HKLM\..\Run: [98fd90f1] rundll32.exe "C:\WINDOWS\system32\jsaorijt.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ChristmasTree] C:\DOCUME~1\VillavCG\LOCALS~1\Temp\Rar$EX00.016\Ch ristmas.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: ds1.interprise.com
    O15 - Trusted Zone: vaprodapp.interprise.com
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Diner%20Dash%20-%20Flo%20on%20the%20Go/Images/stg_drm.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120851008953
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Diner%20Dash%20-%20Flo%20on%20the%20Go/Images/armhelper.ocx
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sykes.webex.com/client/T26L/webex/ieatgpc.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: tuVnNdEt - C:\WINDOWS\SYSTEM32\tuVnNdEt.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
    O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)
    O23 - Service: RUMBA AS/400 Shared Folders (Wdworkstation) - NetManage Incorporated - C:\WINDOWS\system32\wdnpsvc.exe
  2. 23-05-2008  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Download SUPERAntiSpyware (SAS) free home version:

    http://www.superantispyware.com/supe...freevspro.html


    Install it and double-click the icon on your desktop to run it:
    • It will ask if you want to update the program definitions, click "Yes",
    • Let it through your firewall!
    • Under "Configuration and Preferences", click the Preferences BUTTON.
    • Click the Scanning Control TAB.
    • Under "Scanner Options" make sure the following and additional items are checked:
      • Close browsers before scanning
      • Scan for tracking cookies (default)
      • Terminate memory threats before quarantining.
      • Ignore System Restore/Volume Information on ME and XP
      • Click the Close button to leave the control center screen.
    • On the main screen, under "Scan for Harmful Software" click Scan your computer.
      • On the left check "C:\Fixed Drive".
      • On the right, under "Complete Scan", choose Perform Complete Scan.
      • Click "Next" to start the scan. Please be patient while it scans your computer.
      • After the scan is complete a summary box will appear. Click "OK".
      • Make sure everything in the white box has a check next to it, then click "Next".
      • It will quarantine what it found and if it asks if you want to reboot, click "Yes".
    • To retrieve the removal information - please do the following:
      • After reboot, double-click the "SUPERAntiSpyware icon" on your desktop.
      • Click "Preferences". Click the Statistics/Logs TAB.
      • Under "Scanner Logs", double-click "SUPERAntiSpyware Scan Log".
      • It will open in your default text editor (such as Notepad/Wordpad).
      • Please highlight everything , then right-click and choose copy.
    • Click close and close again to exit the program.
    • Please paste:
      • The SAS LOG information.
      • A new HijackThis LOG (with any current observations).



    If Vundo (popup issues) still appears to be present, run the following additional scan:

    * Please download Malwarebytes' Anti-Malware from HERE or HERE

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked , and click Remove Selected.
    • When disinfection is completed , a log will open in Notepad and you may be prompted to Restart(See Extra Note).
    • A run log is automatically saved by MBAM and can be viewed by clicking the Logs TAB in MBAM.
    • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
+ Reply to Thread
« Help! | Win32: Vundo@dll [Trj]. »