Jump to content

Vundo Virus - Another one


Recommended Posts

Could someone please take a look at this log and let me know whats what.

Thanks

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:19:33 AM, on 1/17/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Encryption Anywhere\Encryption Anywhere Clients\RSGUIProvider.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Encryption Anywhere\Encryption Anywhere Clients\Client Console\EAFRCliStart.exe

C:\Program Files\Microsoft Office Communicator\Communicator.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\regedit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://worknet.auth.wellpoint.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://worknet.auth.wellpoint.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://worknet.auth.wellpoint.com/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: (no name) - {418C9DDE-B6CA-454A-B047-C0CFAD712DE3} - C:\DOCUME~1\spadogn\LOCALS~1\Temp\pmnoOFuu.dll

O2 - BHO: (no name) - {5dccde58-255a-4307-ae4b-46eefa51822c} - C:\WINDOWS\system32\sosarure.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [sDJobCheck] triggusr.exe

O4 - HKLM\..\Run: [EnableCache] C:\WINDOWS\system32\msiexec.exe /fu {47DD019F-7DCB-47D1-A261-1BCEB444CD90} /qn

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_15\bin\jusched.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [EAFRCliStart] C:\Program Files\Encryption Anywhere\Encryption Anywhere Clients\Client Console\EAFRCliStart.exe /p

O4 - HKLM\..\Run: [AMO] C:\TNGAM\AGENTS\USERINV.LNK

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKCU\..\Run: [sybaseFix] C:\Windows\Options\Scripts\Sybase_AccessUsersFix.vbs

O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\spadogn\LOCALS~1\Temp\orgzpl.dll",run

O4 - HKCU\..\Run: [jiyakedagi] Rundll32.exe "C:\WINDOWS\system32\fasapako.dll",s

O4 - HKCU\..\Run: [CPMff60086c] Rundll32.exe "C:\WINDOWS\system32\pofolehe.dll",a

O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Office Startup.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\npjpi150_15.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\npjpi150_15.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://worknet.auth.wellpoint.com/

O15 - Trusted Zone: http://inw2kgen01.corp.anthem.com

O15 - Trusted Zone: http://webimage.wellpoint.com

O15 - Trusted IP range: http://30.128.190.121

O15 - Trusted IP range: http://30.37.205.23

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {897F5787-EAB8-4C0D-8EE7-D296E3E1CCAF} (ipdWebControl.CRegistry) - http://30.34.14.74/ultera/Download/ipdWebControl.cab

O16 - DPF: {8C28EFF4-767B-11D1-844B-0060972DC2AC} - http://30.37.205.23/components/Brio.Quickview.cab

O16 - DPF: {C1A30C78-808C-4ADF-B5EF-27F164626548} (SamuraiCtrl Class) - http://vaw2kvrntsr04.corp.anthem.com/ultra...intPlayback.cab

O16 - DPF: {C411B4F7-7FB2-4E3C-934F-5CF43A6B4CCF} (Desktop.DeskCtrl) - http://va2k3amg01/esm/desktop/desktop.cab

O16 - DPF: {E512705A-3850-4CD2-84F3-80B2BFAFACDE} (ipdFormLetter.FormLetterProxy) - http://30.34.14.74/ultera/Download/ipdFormLetter.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://myconnection.wellpoint.com/dana-cac...perSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.ad.wellpoint.com

O17 - HKLM\Software\..\Telephony: DomainName = us.ad.wellpoint.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.ad.wellpoint.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = IN.TRIGON.COM,CORP.ANTHEM.COM,CORP.TGHNET.COM,AICI.COM,US.AD.WELLPOINT.COM,EBCBS

NY.WELLCHOICE.INC,BCBS-GA.COM,COBALT-CORP.COM,EMPIREBCBS.COM,BCBSWI.COM,BCBSMO.COM,UWSI.COM,WELLPOINT.COM,HEALTHLINK.

COM

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.ad.wellpoint.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = IN.TRIGON.COM,CORP.ANTHEM.COM,CORP.TGHNET.COM,AICI.COM,US.AD.WELLPOINT.COM,EBCBS

NY.WELLCHOICE.INC,BCBS-GA.COM,COBALT-CORP.COM,EMPIREBCBS.COM,BCBSWI.COM,BCBSMO.COM,UWSI.COM,WELLPOINT.COM,HEALTHLINK.

COM

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = us.ad.wellpoint.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = IN.TRIGON.COM,CORP.ANTHEM.COM,CORP.TGHNET.COM,AICI.COM,US.AD.WELLPOINT.COM,EBCBS

NY.WELLCHOICE.INC,BCBS-GA.COM,COBALT-CORP.COM,EMPIREBCBS.COM,BCBSWI.COM,BCBSMO.COM,UWSI.COM,WELLPOINT.COM,HEALTHLINK.

COM

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = IN.TRIGON.COM,CORP.ANTHEM.COM,CORP.TGHNET.COM,AICI.COM,US.AD.WELLPOINT.COM,EBCBS

NY.WELLCHOICE.INC,BCBS-GA.COM,COBALT-CORP.COM,EMPIREBCBS.COM,BCBSWI.COM,BCBSMO.COM,UWSI.COM,WELLPOINT.COM,HEALTHLINK.

COM

O20 - Winlogon Notify: EARSWlNotify - EARSWlNotify.dll (file missing)

O20 - Winlogon Notify: GEWinlogonNotify - C:\WINDOWS\SYSTEM32\GENotify.dll

O23 - Service: BMC_ConfigMgr (BMCConfigMgr) - BMC Software, Inc. - C:\program files\BMCCM\tuner\Tuner.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: DameWare Mini Remote Control (DWRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE

O23 - Service: EAFRCliManager - GuardianEdge Technologies, Inc. - C:\Program Files\Encryption Anywhere\Encryption Anywhere Clients\EAFRCliManager.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\bin\omtsreco.exe

O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\Oracle\bin\ONRSD.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Removable Storage Service (RemovableStorageService) - GuardianEdge Technologies, Inc. - C:\Program Files\Encryption Anywhere\Encryption Anywhere Clients\RemovableStorageService.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 10937 bytes

Link to post
Share on other sites

Are you a Blue Cross employee? Is this a Blue Cross company computer? I'm afraid you are going to have to answer both of those questions before anyone here can help you with this particular computer. Also, tell us what issues you are experiencing.Thanks!

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.