I am running 2 AV concurrently. I know thats a no-no, but these 2 seem to work well together and are complimentary.
I have AVAST which is a very good firewall, and SPYWARE DOCTOR which is a very good resident scanner.
I threw out PC-CILLIN when it would only warn, but not rid me of Vundo.
Now my startup scan with SW.DR reports the Trojan.Virtumonde is resident. It reports the following...
Process Call....Winlogon.exe (C:\windows\system32\OPNOPOM.DLL)
.......................Explorer.exe (C:\windows\system32\OPNOPOM.DLL)
File.................C:\windows\system32\OPNOPOM.DLL
Startup...........HKEY_local_machine\microsoft\windows\current version\exp...\shellexecutehooks, (c1adc5ed-fb26-4770-afe5-bd3a7eb5c148)
........................HKEY_local_machine\microsoft\windowsnt\current version\winlogon\notify\OPNOPOM,dllname = OPNOPOM.DLL
Registry Key...HKEY_local_machine\microsoft\windows\current version\explorer\browser helper object\(c1adc5ed-fb26-4770-afe5-bd3a7eb5c148)
SW.DR removes all but the file OPNOPOM.DLL. Other boot-up file killers, including Hijackthis cannot remove it either.
I have manually cleaned the registry of all references to this file, but it all comes back at next boot.
SW.DR at least stops it from doing its thing in real-time.
Now I figure that WINLOGON.EXE and EXPLORER.EXE may be infected, and WINLOGON loads well before the boot-killers do, protecting the file.
I asked the question on WindowsBBS if I can deactivate WINLOGON.EXE (by temporarily renaming it, if that can be done) so it won't load and the boot-killers can do their stuff, but no suitable answer so far. Is this viable / possible??
Or would a transplant of a clean WINLOGON and EXPLORER work, assuming they can be replaced?
What about a CD boot to bypass the installed files?
Anyway, here is the Hijackthis log.
A lot of the files that are "missing" were those from the Vundo attack that have been deleted.
I assume it would be OK to remove those lines, but I'll wait for your analysis. There are others that should be deleted as well, if only to clean up the registry.
I really hope someone can help, because I've read this Trojan is very difficult to totally kill.
Thanks in advance
jgb
================================
Logfile of HijackThis v1.99.1
Scan saved at 7:19:35 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\AVast\aswUpdSv.exe
C:\AVast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\AVast\ashDisp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Quick-Access\ProcessLibrary\qaccess.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\AVast\ashMaiSv.exe
C:\AVast\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis-Scanner\Spywarescan.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3D078D49-5C0E-49B6-9E4A-571AECAB9DBB} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: (no name) - {3F5E9987-FD12-408E-3612-018845CDF059} - (no file)
O2 - BHO: (no name) - {41E1D7D5-4908-436A-8A43-04C56659EE5A} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8EFB7906-4BBD-4282-83CB-54675FA9B7AE} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll (file missing)
O2 - BHO: (no name) - {BF1CE9E9-D043-413D-8DDC-061393367AAC} - C:\WINDOWS\System32\ddabb.dll (file missing)
O2 - BHO: (no name) - {C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148} - C:\WINDOWS\system32\opnopom.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C9362C1D-579A-428C-BB24-3479D0E197C8} - C:\WINDOWS\System32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {D4F2C7DF-EC73-4E0B-9E24-DC1E864037F8} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {D960D240-B4D6-45BF-8962-F04BF469CD0D} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EB6D904A-84EF-488C-AF3C-F82C83DBB369} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\FlashGet\getflash.dll
O2 - BHO: (no name) - {F5938714-BD46-408A-9842-4058206D37E3} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\FlashGet\fgiebar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\MediaFace-Neato\SetHook.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\AVast\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pofrqmkk.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Vnqfny] "C:\Program Files\Common Files\s?curity\?xplorer.exe"
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Quick-Access\ProcessLibrary\qaccess.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\PalmPilot 515\HOTSYNC.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AOL-AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\FlashGet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75A7C26E-DF48-4502-BA70-BD15CED1C429}: NameServer = 199.166.4.2
O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll (file missing)
O20 - Winlogon Notify: opnopom - C:\WINDOWS\SYSTEM32\opnopom.dll
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\System32\ssqpp.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\AVast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\AVast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\AVast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\AVast\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows - Unknown owner - C:\WINNT\srvany.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
end