A cry for help

[FadenCypher]

I believe this Trojan is called Vundo or something along those lines as i have seen others who have had problems with it... But I believe I have sveral infections as Nod32 keepsinforming me of attempts by Trojans of the name Win32 Agent BCK, and Win32 Trojan Small Downloader, or something along thos lines. And Spybot keeps telling me about a search indexer trying to change the registry with a random named .dll, and something about sittypnow ... I know it's not legitimate so I 've denied the change each time... and I've tried several anti-virus/anti-spyware programs (Adaware, Spybot S&D, Nod32, XoftspySE, Some form of Norton antivirus, and Spydoctor, and even the Vundo Remover from symantec.) to try and remove it, yet they all leave me with the Trojans all coming back, so any help in removing this Trojan would be greatly appreciated. As this is getting rather frustrating...

Normally I wouldn't ask for help as usually I am able to figure out how to fix them on my own.. but... in this case I guess I'm just not experienced enough.

So any help would be greatly appreciated...

VVVVV Hijack this results (Renamed Hijackthis to Something.exe) VVVVV


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:33 AM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Spyware Doctor\SDLoader.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Something.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {C8D7B2DD-349F-43EC-B6EB-BC44D32DE2AF} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: (no name) - {FC5A4B04-1B92-4D88-8423-A1DBC662BAE9} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\kunfmbld.dll",sitypnow
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sin Azrael\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188933106689
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://fadencypher.spaces.live.com/P...d/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - Winlogon Notify: xxyaxvw - xxyaxvw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6698 bytes





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 11, 2007 10:13:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/10/2007
Kaspersky Anti-Virus database records: 431180
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 84260
Number of viruses found: 5
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:07:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sin Azrael\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\cert8.db Object is locked skipped
C:\Documents and Settings\Sin Azrael\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\history.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\key3.db Object is locked skipped
C:\Documents and Settings\Sin Azrael\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\parent.lock Object is locked skipped
C:\Documents and Settings\Sin Azrael\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Sin Azrael\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Sin Azrael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Sin Azrael\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Messenger\Idiom_Cypher@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Messenger\Idiom_Cypher@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Messenger\Idiom_Cypher@hotmail.com\SharingMetadata\Working\database_7004_7FAC_47F_7446\dfsr.db Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Messenger\Idiom_Cypher@hotmail.com\SharingMetadata\Working\database_7004_7FAC_47F_7446\fsr.log Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Messenger\Idiom_Cypher@hotmail.com\SharingMetadata\Working\database_7004_7FAC_47F_7446\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Messenger\Idiom_Cypher@hotmail.com\SharingMetadata\Working\database_7004_7FAC_47F_7446\tmp.edb Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Windows Live Contacts\Idiom_Cypher@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Microsoft\Windows Live Contacts\Idiom_Cypher@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\Cache\633285D9d01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\Cache\633285D9d01 ZIP: infected - 1 skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Application Data\Mozilla\Firefox\Profiles\9twvn53e.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Temp\~DF5602.tmp Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Temp\~DF5641.tmp Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Temp\~DFCCF6.tmp Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Temp\~DFE8D9.tmp Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Temp\~DFE97B.tmp Object is locked skipped
C:\Documents and Settings\Sin Azrael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\ntuser.dat Object is locked skipped
C:\Documents and Settings\Sin Azrael\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\2VT3Z5BA.NQF Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\ESET\infected\E00OFGAA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\HXPOMKCA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\OII0WSCA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\sim7\isrven2.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\WINDOWS\system32\sim7\isrven2.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\system32\sim7\isrven2.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\system32\sim7\isrven2.exe NSIS: infected - 3 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




PLEASE HELP

[FadenCypher]

Oh and I've tried running them all in safe mode as well..

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

I apologize for the wait, seems you missed the link above. If you have not resolved your problems, post a new HJT log and I will take a look. Please make sure you read the directions and that "Word Wrap" is turned off in notepad, appears it was on when you last posted.

Thanks

[tashi]

This topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.