Vundo - amongst others with Hijack log

[RooPar]

Malwarebytes' Anti-Malware 1.14
Database version: 800

2:44:41 PM 05/06/2008
mbam-log-6-5-2008 (14-44-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146140
Time elapsed: 2 hour(s), 34 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Adware.Vapsup) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM5b5af632 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

[DavidR]

Suspect (may be as a result of malware removed by scans you have done, but the registry entries still exist):
O2 - BHO: (no name) - {3095D50F-F1BA-4BBC-A54D-819EEB7E0898} - C:\WINDOWS\system32\urqNghGa.dll (file missing)
O2 - BHO: (no name) - {48C55D88-834B-4BE9-BC28-FEBC1E970022} - C:\WINDOWS\system32\hgGawTlJ.dll (file missing)

O2 - BHO: (no name) - {6AFFDB5A-3ED5-49EB-8211-B1249A9E52AD} - (no file)
O2 - BHO: (no name) - {9F17EA7C-2617-48BE-B120-92FA4FD2873A} - C:\WINDOWS\system32\mlJCRICT.dll (file missing)
O2 - BHO: (no name) - {F3BB89D9-B7A1-4052-A4DE-B8BFFB23E7C7} - (no file)
O2 - BHO: (no name) - {FB3E5D22-19CB-4A96-ABE1-1705278EFAB0} - (no file)

O20 - Winlogon Notify: urqNghGa - urqNghGa.dll (file missing)

JAVA out of date:
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 6 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html


Other than the above I don't see anything obvious.

[RooPar]

Fixed teh java issue.
Not sure what to do with the others that you noted may be suspect.

[DavidR]

Normally I would suggest you google the file names at the entries (where one exists) and see what is returned to confirm or deny any suspicion. For the ones that have no name, no file you could do a google search for the bracketed numbers including the { } brackets. Though I suspect you will find little.

Run HJT again, to the left of the entries is a check box, tick/check in the box for the above entries and click the Fix selected button. That will remove the registry entries for the checked entries, it will also save a back-up to be able to recover if required.

I have just seen the MBAM log you posted, I would have though it would have cleaned up the reported entries (I haven't used MBAM), did you opt not to do anything or is that a restriction of the free version ?

[oldman]

Here's the canned speach, with the appropriate action highlighted

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[RooPar]

Malwarebytes' Anti-Malware 1.15
Database version: 839

6:27:28 PM 07/06/2008
mbam-log-6-7-2008 (18-27-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147115
Time elapsed: 1 hour(s), 45 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\apfudqkt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tkqdufpa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxwgwgdv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdgwgwxg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oqyjwtms.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smtwjyqo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ottfrmdn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndmrftto.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tblnqehk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kheqnlbt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.