Trojan Problem - Spyware in system?

[Andy_ftm]

I was having a convosation with a friend over msn, when a message showing a link to a picture appeard in the convosation. I clicked on it, and it requested a download - I clicked cancel and it downloaded anyway.
Since then, my antivirus program, F-Secure, has been finding lots of viruses and trojans throughout the Windows/system32, type area.
Also, In Internet EXplorer, there has been new windows openning, such as gambling, loans, and pornographic pages.
Now, Cookies created by these pages are detecetd and removied by Spy-bot, however, this does not solve the problem.
I was browsing through Spy-bot functions, and founs BHOs, and System Processes.
In my BHO list, there where 5 unknown BHOs.
There was another 3 whith a green tick next to them, and they were msn sign-in help, google and yahoo.
I took the risk of deleting one of the 'unknowns' and F-Secure quickly identified it as a trojan.

Now, In my System Processes - aside from the System setting itself, there is several processes which are un-named, and ave very little decription, and link to each other. However, in contrast to all the other processes, there is lots of information, such as maker - e.g. Microsoft, Diskeeper, Spy-Bot S&D.

I didn't want to un the risk of harming my system, so thought better to ask for help. Any help would be appreciated. Thanks.

Attachment 1363

This is my BHO report created by Spy-bot.

Attachment 1364

This is my System Processes report, created by Spy-bot.

Any help would be brilliant.

[Andy_ftm]

Also, another thing, I might have a Vundo trojan for my BHOs.
I have had my anti-virus detect 2 BHOs as viruses.

[Andy_ftm]

Sorry -

BHO log -
Note : One BHO cannot be removed using Spy-bot. It is in BLACK.


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-09-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-04-18 advcheck.dll (1.5.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-18 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-04-18 Includes\DialerC.sbi
2007-04-04 Includes\Hijackers.sbi
2007-04-18 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-04-18 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-03-21 Includes\Malware.sbi
2007-04-18 Includes\MalwareC.sbi
2007-03-21 Includes\PUPS.sbi
2007-04-18 Includes\PUPSC.sbi
2007-04-18 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-04-18 Includes\SecurityC.sbi
2007-03-21 Includes\Spybots.sbi
2007-04-18 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-04-11 Includes\Trojans.sbi
2007-04-18 Includes\TrojansC.sbi

{02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
BHO name:
CLSID name: Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn3\
Long name: yt.dll
Short name:
Date (created): 04/11/2006 20:51:14
Date (last access): 21/04/2007 21:32:10
Date (last write): 29/09/2006 13:53:18
Filesize: 440384
Attributes: archive
MD5: 045EFAAE4617C8883DFC840C6685C390
CRC32: 06B9C4ED
Version: 2006.9.29.1

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 18/12/2006 05:16:42
Date (last access): 21/04/2007 21:54:54
Date (last write): 18/12/2006 05:16:42
Filesize: 59032
Attributes: archive
MD5: 4EA3A6CD9D20584FFAFDB1E47DBF0E20
CRC32: 7B0A854F
Version: 7.0.9.50

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\ANTI-V~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 12/05/2004 01:03:00
Date (last access): 21/04/2007 21:50:34
Date (last write): 31/05/2005 01:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 07/07/2006 12:29:52
Date (last access): 21/04/2007 21:45:56
Date (last write): 07/07/2006 12:29:52
Filesize: 324416
Attributes: archive
MD5: 52A70C80A446FA3BBCDAF59A9AB26AF4
CRC32: B1456034
Version: 4.0.249.1

{970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: cbxwtrq.dll
Short name:
Date (created): 10/04/2007 21:50:50
Date (last access): 21/04/2007 21:29:40
Date (last write): 10/04/2007 21:50:50
Filesize: 26694
Attributes: archive
MD5: CBB2E98D616E28B832F3989B344E3E78
CRC32: 6641482F

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar4.dll
Short name: GOOGLE~4.DLL
Date (created): 26/01/2007 08:47:14
Date (last access): 21/04/2007 21:45:54
Date (last write): 20/01/2007 00:55:32
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSN Search Toolbar Helper)
BHO name:
CLSID name: MSN Search Toolbar Helper
Path: C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\
Long name: msntb.dll
Short name:
Date (created): 15/06/2005 20:02:08
Date (last access): 21/04/2007 21:29:48
Date (last write): 15/06/2005 20:02:08
Filesize: 577232
Attributes: archive
MD5: 361B861B3975418B079D1C12B07D6A52
CRC32: 22B1AA51
Version: 2.5.0.1082

{EDCBE08C-BA61-46FB-86E9-357247EC5A2E} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: pmnnk.dll
Short name:
Date (created): 17/04/2007 19:56:38
Date (last access): 21/04/2007 21:09:46
Date (last write): 17/04/2007 19:56:40
Filesize: 281172
Attributes: hidden sysfile
MD5: 8805ACDC7DA976A73F943CCFD1874849
CRC32: E816CCBF

System Proccess:


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-09-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-04-18 advcheck.dll (1.5.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-18 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-04-18 Includes\DialerC.sbi
2007-04-04 Includes\Hijackers.sbi
2007-04-18 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-04-18 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-03-21 Includes\Malware.sbi
2007-04-18 Includes\MalwareC.sbi
2007-03-21 Includes\PUPS.sbi
2007-04-18 Includes\PUPSC.sbi
2007-04-18 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-04-18 Includes\SecurityC.sbi
2007-03-21 Includes\Spybots.sbi
2007-04-18 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-04-11 Includes\Trojans.sbi
2007-04-18 Includes\TrojansC.sbi

PID: 0 ( 0) [System]
PID: 700 ( 4) \SystemRoot\System32\smss.exe
PID: 756 ( 700) \??\C:\WINDOWS\system32\csrss.exe
PID: 780 ( 700) \??\C:\WINDOWS\system32\winlogon.exe
PID: 824 ( 780) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 836 ( 780) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1008 ( 824) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1080 ( 824) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1184 ( 824) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1204 ( 824) C:\Program Files\Ahead\InCD\InCDsrv.exe
size: 1192050
MD5: 1C5622809694604167EF6EE991F4965E
PID: 1292 ( 824) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1444 ( 824) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1608 ( 824) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 404 ( 824) C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
size: 36903
MD5: A619A77C14E76AC387CF01288FF291DC
PID: 420 ( 824) C:\WINDOWS\system32\crypserv.exe
size: 52224
MD5: 85A6662B5F12B84D599A74119F04B381
PID: 448 ( 824) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
size: 765952
MD5: B09DF4AE62909CED13EB2DCDB612FAFE
PID: 504 ( 824) C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
size: 36947
MD5: 237A88D8AF60024CB91CB5D7903B3CC9
PID: 528 ( 504) C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
size: 290304
MD5: 8F78E6C547071B95D7D17F6D8B708926
PID: 552 ( 824) C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
size: 278581
MD5: D12006C7A59CD32442344D411A4ECC40
PID: 608 ( 528) C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
size: 248320
MD5: 3B4D0D6DAC74BC6CEBCA11F88EBB6528
PID: 1140 ( 824) C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
size: 61490
MD5: A796880CED6D0849E0D8DFC35821D931
PID: 1176 (1140) C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
size: 180274
MD5: 7DC7D1F5E4F27B13FA3954B848860D36
PID: 1288 ( 824) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 1348 (1140) C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
size: 65585
MD5: 872F3321742B9F679255BB9A031C4121
PID: 1700 ( 824) C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
size: 187168
MD5: 3FF58BEE45EF10F2FEEB6D2A64153E50
PID: 1956 (1140) C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
size: 270387
MD5: F5937DD8CDFA5160D84B22C504B32806
PID: 1972 (1140) C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
size: 32826
MD5: 69118DA5CACB250D06389287DDC1BF45
PID: 2012 (1140) C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
size: 159804
MD5: E32C981D8CB776B68CEEAC49DC7D8273
PID: 2028 (1140) C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
size: 139319
MD5: B7B424E203C526A93ADEBB871E3C0A3D
PID: 2624 ( 824) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2676 ( 824) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 2720 ( 824) C:\WINDOWS\system32\UAService7.exe
size: 126976
MD5: 0EDFE36E05A62888EFF6D97AE494B2A5
PID: 3004 (1140) C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
size: 180224
MD5: D680E8EF997361114DF93BB268CE3C63
PID: 3368 ( 824) C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
size: 61498
MD5: AC51C2E22EC58223B3DA1154DD0484F4
PID: 3408 ( 824) C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
size: 204863
MD5: C81474EFD014D51C8A1B17129F8D4DEB
PID: 3720 ( 824) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3456 ( 824) C:\Program Files\iPod\bin\iPodService.exe
size: 500800
MD5: 661194608009B558DE1925C7EBE1A4BA
PID: 11292 ( 824) C:\Program Files\MSN Messenger\usnsvc.exe
size: 97136
MD5: C5B70A6AA947667CE0E5FC84A05EC8B6
PID: 12184 (26380) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 18960 (12184) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 915A106A2FB87292CEF0AD4F36ADF313
PID: 16984 (12184) C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
size: 49152
MD5: 1D0F6AEACEDDDA839EEB6AF0E9DB9F9B
PID: 23884 (12184) C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
size: 866816
MD5: D40191AA225638AB20E59524CDD74030
PID: 20200 (12184) C:\Program Files\Ahead\InCD\InCD.exe
size: 1450096
MD5: 833D5E9603947F735D5C264BAA6D255A
PID: 26488 (12184) C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
size: 75520
MD5: EDF5D27C6D244740418903626DF5741A
PID: 23040 (12184) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 3CF6BFF887AF6F733473D81A8921A5C5
PID: 26212 (12184) C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
size: 356352
MD5: 329F9DE88C88917E08F7F3D75704F23B
PID: 6344 (12184) C:\WINDOWS\vVX3000.exe
size: 994080
MD5: B3D143EF670569CDF5A4C4E20B65B277
PID: 28508 (20604) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 29204 (12184) C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
size: 122929
MD5: 855E795383BED05C481575BD0C1C0D37
PID: 30296 (12184) C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: 30E1F03DCC8825988528D9058312EDE2
PID: 13332 (29204) C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
size: 86064
MD5: A38CCE2B6C770CC26755D790E0F59F10
PID: 31304 (12184) C:\Program Files\iTunes\iTunesHelper.exe
size: 257088
MD5: B0E9EFADF04E9E25C0001B48757F3E71
PID: 32056 (12184) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
PID: 3512 (29204) C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
size: 233537
MD5: 63A3D48CFAFA534B2F48DAB91BD6B618
PID: 30964 (12184) C:\Program Files\Anti-Virus, Computer Clean-up, Malware detectors, etc\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 24216 (12184) C:\Program Files\Exif Launcher\QuickDCF.exe
size: 29696
MD5: 57A47AC444416B9E34EA7C221D9CF994
PID: 21572 (12184) C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
size: 36903
MD5: A619A77C14E76AC387CF01288FF291DC
PID: 30608 (12184) C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
size: 73728
MD5: 2D7B847DA5E569ED4E0B15FEEFB8FCC4
PID: 26512 (12184) C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 53317
MD5: 5232D76D86FD285F5FA3C7CC7AD45093
PID: 31952 (1008) C:\Program Files\Common Files\Teleca Shared\Generic.exe
size: 385024
MD5: AC02CF51DCC71E97D1B602EE651518DB
PID: 19560 (1008) C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
size: 868352
MD5: 9AE089DFD4A11FDA99F1CFA23C3D11F3
PID: 28180 (12184) C:\Program Files\Anti-Virus, Computer Clean-up, Malware detectors, etc\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
PID: 15200 (26488) C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
size: 251648
MD5: 572BCED88BF2A1FBA0C2B10AC172F3DB
PID: 18928 ( 448) C:\Program Files\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
size: 466944
MD5: 44B7BE07B30F5D178594CDC418203834
PID: 27772 (12184) C:\Program Files\MSN Messenger\msnmsgr.exe
size: 5674352
MD5: C4281AD865739E71FD1E4DAC19A68D60
PID: 24624 (12184) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7633008
MD5: 7B4EFF333F1B963812F6BEDC06CA2758

[pskelley]

Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

If it's Vundo, it's nasty and hard to remove. I will try to help, follow the directions.

Thanks

[Andy_ftm]

I don't mean to sound rude or annoying, but this is very complicated for me - a 15 year old.
I looked at the other link suggested, and panda is plaued by WinAntivirus pop-ups. I want to run the check, though, a WinAntivirus has the side bar occupied.
I don't trust panda, and i'm pretty sure I'll do something wrong.
Correct me if i'm wrong:

Put in e-mail address, i'l just make up another one and use it.
Click no in the panda scan, and scan.
Then, post the log in here - then do nothing until you reply?

I don't want to break anything, or screw my computer up, so is this what I need to do for the first step?
I'm well confused.

[pskelley]

I understand and suggest you may want to seek help from someone with more computer knowledge. Those are the instructions we use at this forum to get the information we need to help. If you are positive this is the Vundo trojan, then you may look at this self-help tutorial:

http://forums.spybot.info/showthread.php?t=4394

Sooner or later there are complex instructions that will need to be followed, this is not an easy infection to get rid of.

I hope that helps

Thanks

[Andy_ftm]

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mahycfva.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cbxwtrq.dll
Spyware:spyware/virtumonde Not disinfected c:\windows\system32\ddaya.dll
Spyware:spyware/betterinet Not disinfected c:\windows\system32\in10b6s.dll
Dialer:dialer.db Not disinfected c:\windows\downloaded program files\msa64chk.inf
Spyware:spyware/web3000 Not disinfected c:\windows\hh.ico
Adware:adware/wupd Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Adrian Moore\Cookies\adrian_moore@com[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Andrew Moore\Application Data\Mozilla\Firefox\Profiles\im304z16.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Andrew Moore\Cookies\andrew_moore@azjmp[1].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Uninstall My Web Search.dll
Virus:Trj/Agent.CAV Disinfected C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcdcyx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\idnuhwjp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jxlqwkqb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ngsyfnig.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qtemuqkc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tetwbngq.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\utslkajj.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vnrtvqon.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wyisnedl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xjjmiubp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yurigmvt.dll.bak

I thought it was one or two problems, but Panda shows:

1 Virus - disinfected
34 Spyware
1 Dialer
1 Rootkit


What do I do now? (Daft question, but you know - want to do it right)

[pskelley]

OK, we are making progress and you do have a Vundo infection. You should keep this computer offline except when you are working on the troubleshooting. I need the HijackThis log and we will be able to get started removing the junk. Look at any of the other topics, they all include a HijackThis log. Read the "Before you Post" instructions again. Here are a few different looks at how to post a HJT log.
http://forums.security-central.us/sh...d.php?t=112for
http://russelltexas.com/malware/createhjtfolder.htm
http://www.bleepingcomputer.com/forums/tutorial94.html

This is a self-extracting download if that will help:
Download a self-extracting copy of HijackThis from :-
http://downloads.malwareremoval.com/hijackthis_sfx.exe
1. save it to your Desktop.
2. Double-click on the file hijackthis_sfx.exe and it will self-extract into its own folder,
C:\Program Files\HijackThis
3. Go to this folder and run the hijackthis.exe file
4. click Do a system scan and save a logfile
5. Copy & paste the logfile into your next post here...

Thanks

[Andy_ftm]

Logfile of HijackThis v1.99.1
Scan saved at 21:27:11, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Anti-Virus, Computer Clean-up, Malware detectors, etc\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\yurigmvt.dll",setvm
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\mahycfva.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Anti-Virus, Computer Clean-up, Malware detectors, etc\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/upload...reUploader.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab55579.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cambridgesoft.webex.com/clie...ex/ieatgpc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

What now?

[pskelley]

This one is hard to remove but you can do it if you follow the directions:
Here is some information about the junk you can view later if you wish:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog


Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

(this part is important, if there are files that Vundofix can't remove then click the link and follow the directions to upload the files. Atribune will add them to the fix and a while later you will be able to kill the junk. If Vundofix is able to delete everything, follow the directions)

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

I need to see the Vundofix report and a new HJT log.

Thanks