Howdy!

My troubles began Thursday 19 July or at the very least became really obvious. I had received email on 18 July from my ISP that one of my accounts was identified as having sent numerous spam messages. After some searching I was able to configure my machine to sent email once again. Because I have AVG Anti-Virus, Free Edition installed I started noticing frequent SMTP-related 'Connecting...' messages. I frowned and disabled SMTP access.

I then ran AD-Aware only to discover it was out of date; I frowned some more. I don't remember what it found but I removed what it detected. I then ran Spybot S&D; I installed all the updates and frowned a lot when it detected Virtumonde and I read how this trojan morphs itself. I didn't realize then that this would be quite a battle.

I tried to remove it on my own (obviously it didn't work :red:). I did download VundoFix and VirtumundoBegone (I deleted the logs because I would like to receive authoritative help - I clearly didn't/don't know what I'm doing) and ran them several times. True to form the trojan morphed and moved on. Plus, having the Spybot Resident program automatically deny the creation of a BHO and a Winlogon Service is visually annoying.

In a fit of overacting I installed AVG Anti-Spyware, COMODO Firewall Pro, and COMODO BOClean Malware detector. At least with the Firewall I can prevent suspicious outgoing connections. I digress.

I then found this forum - Thank you very much for helping others and, hopefully for helping me.

So having read the BEFORE you POST thread, I was able to run the eTrust Antivirus Web Scan. I could not find where I could save the results to a log file so I save the entire web page as a text file; I've pasted in the information on the viruses it found:

========== eTrust Antivirus Scan Results ==========
Virus scan finished. 17 viruses found.
Scan Results: 243093 files scanned. 17 viruses were detected.

File Infection Status Path
SecurityClassLoader.class-2c965182-6b0e45ef.class HTML/ByteVerify! exploit infected C:\Documents and Settings\root\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
CAVYYLF3 Win32/Vundo! genericinfected C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\GJ8JYBY7\
CATK655Z Win32/Vundo! genericinfected C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\RVT942FY\
CAKPO1SV Win32/Vundo! genericinfected C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\XYZRSB34\
A0234155.dll Win32/Chisyne! genericinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1437\
A0234969.dll Win32/Vundo! genericinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1445\
A0235006.dll Win32/Vundo! genericinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1445\
A0235007.dll Win32/Chisyne! genericinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1445\
ddcawww.dll Win32/Chisyne! genericinfected C:\WINDOWS\SYSTEM32\
pmkjj.dll.vir Win32/Vundo! genericinfected C:\WINDOWS\SYSTEM32\
pmnkiih.dll Win32/Chisyne! genericinfected C:\WINDOWS\SYSTEM32\
qomjiif.dll Win32/Chisyne! genericinfected C:\WINDOWS\SYSTEM32\
qomlljg.dll Win32/Chisyne! genericinfected C:\WINDOWS\SYSTEM32\
ssqnlli.dll.vir Win32/Chisyne! genericinfected C:\WINDOWS\SYSTEM32\
ssttq.dll Win32/Vundo! genericinfected C:\WINDOWS\SYSTEM32\
xxyyxvu.dll Win32/Chisyne! genericinfected C:\WINDOWS\SYSTEM32\
yayyvwt.dll Win32/Chisyne! genericinfected C:\WINDOWS\SYSTEM32\
========== eTrust Antivirus Scan Results ==========

I ran Spybot S&D in SafeMode and it detected a PrintSpooler Trojan. It reported it had fixed the problem. I ran Spybot S&D a second time and it detected nothing.

I then ran HiJackThis. I have copied in the log:

========== HiJackThis Results Log ==========
Logfile of HijackThis v1.99.1
Scan saved at 21:47:54, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Tools\D-Tools\daemon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cydnlsma.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\svclogon.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
C:\Tools\AnalogX\ITR\itrc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
c:\temp\death\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Tools\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cydnlsma] C:\WINDOWS\system32\cydnlsma.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ITR Client.lnk = C:\Tools\AnalogX\ITR\itrc.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: j2 Live Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://rwd.interwise.com/rwd/English/ActiveX/IWsystemchecks.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://tracker.rwd.com/trackdoc/trkpm660ie.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows Device Host Service (AVPWM) - Unknown owner - C:\WINDOWS\system32\mui\avpsvc.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Atlassian Confluence (confluence) - Apache Software Foundation - C:\Tools\confluence-2.2.9-std\bin\tomcat5.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Fisheye - Unknown owner - C:\Tools\fisheye-1.1\wrapper\bin\Wrapper.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Atlassian Jira (jira) - Apache Software Foundation - C:\Tools\jira-3.6.5-std\bin\tomcat5.exe
O23 - Service: Print Spooler Service (lrui41yrea2c2a0d) - Unknown owner - C:\WINDOWS\system32\cydnlsma.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Windows Logon Management (WLMSVS) - Unknown owner - C:\WINDOWS\system32\svclogon.exe
========== HiJackThis Results Log ==========

As an additional point of worry I have a file on my machine, C:\WINDOWS\System32\cydnlsma.exe, I am blocking from SMTP connections. Google did not return any results for this file name.

Plus, I am know at the point where none of the tools detect what was found by the eTrust scan.

Please let me know if I have missed something.

Patiently waiting,
Mel Riffe

Hi mriffe

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)

G'Morning Shaba,

I renamed HiJackThis.exe to scanner.exe and created a fresh log file:

========== HiJackThis Results Log ==========
Logfile of HijackThis v1.99.1
Scan saved at 09:48:24, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Tools\D-Tools\daemon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cydnlsma.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\svclogon.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
C:\Tools\AnalogX\ITR\itrc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Temp\death\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {352A0792-4C2D-401A-A4E2-BDBEFF619471} - C:\WINDOWS\system32\ssttq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {720C84C1-BCCB-4B5B-964C-B2E8923C7C24} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSEvents Object - {7BC60C5A-192C-4EF7-9118-17B0FE30143C} - C:\WINDOWS\system32\pmkjj.dll (file missing)
O2 - BHO: MSEvents Object - {A6C98AD3-5AA5-4CF9-8D0B-E48916973961} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: MSEvents Object - {BCD9E66E-CC47-432F-9D70-FDD66BC8E29F} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: MSEvents Object - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\xxyyxvu.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Tools\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cydnlsma] C:\WINDOWS\system32\cydnlsma.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ITR Client.lnk = C:\Tools\AnalogX\ITR\itrc.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: j2 Live Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://rwd.interwise.com/rwd/English/ActiveX/IWsystemchecks.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://tracker.rwd.com/trackdoc/trkpm660ie.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khfcddd - khfcddd.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: pmkjj - C:\WINDOWS\system32\pmkjj.dll (file missing)
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll (file missing)
O20 - Winlogon Notify: ssqnlli - ssqnlli.dll (file missing)
O20 - Winlogon Notify: ssttq - C:\WINDOWS\system32\ssttq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyyxvu - C:\WINDOWS\SYSTEM32\xxyyxvu.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows Device Host Service (AVPWM) - Unknown owner - C:\WINDOWS\system32\mui\avpsvc.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Atlassian Confluence (confluence) - Apache Software Foundation - C:\Tools\confluence-2.2.9-std\bin\tomcat5.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Fisheye - Unknown owner - C:\Tools\fisheye-1.1\wrapper\bin\Wrapper.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Atlassian Jira (jira) - Apache Software Foundation - C:\Tools\jira-3.6.5-std\bin\tomcat5.exe
O23 - Service: Print Spooler Service (lrui41yrea2c2a0d) - Unknown owner - C:\WINDOWS\system32\cydnlsma.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Windows Logon Management (WLMSVS) - Unknown owner - C:\WINDOWS\system32\svclogon.exe
========== HiJackThis Results Log ==========

Since logging on and producing the log file and posting to this thread, I have seen the following events:

- Spybot Resident Alert for a new BHO - I denied the change
- Spybot Resident Alert regarding icq.com and RunDLL - I denied the change
- Random IE pop-up; coincided with opening FF; didn't get URL
- Random IE pop-up; URL to abcsearch [dot] com
- Random IE pop-up; URL to jack9 [dot] com

Firefox is my default browser so it is very apparent things are not right when IE pops up. :)

I will be periodically checking this thread through out the day - I have errands to run.

Thanks for the Help.

Mel

Hi

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Hi Shaba,

This is most distressing. I have turned off the infected computer. There is a possibility another computer I have is also infected; I will create a new topic if this is the case.

I will be proceeding down the Format/Install path.

Because I am a typical user I do not have backups of my data. Is it safe to access the infected computer in Safe Mode with Networking in order to copy data to another computer?

Thank you very much for your help and the links. Looks like today will not be a boring day. :red:

Mel

Hi

"Because I am a typical user I do not have backups of my data. Is it safe to access the infected computer in Safe Mode with Networking in order to copy data to another computer?"

It's not 100% safe but unless you don't have any better options.

Chances are that you will copy also malware to your other pc.

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.