Good Morning Everyone,

I'm having some issues with these guys...

win32/Vundo!generic
win32/VMalum.AOM
win32/ZQuest.E
win32/Matcash.AS

Here is the HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:06 AM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Windows NT\hoxypudo22011.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hoxypudo] C:\Program Files\Windows NT\hoxypudo22011.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://maxebrdi.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187393278250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bonanzagroupinc.com
O17 - HKLM\Software\..\Telephony: DomainName = bonanzagroupinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bonanzagroupinc.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\prolyhdu.html

--
End of file - 6688 bytes

Thank you all for your help. I really appreciate it.

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Since you did not give me a scan result to look at, we must do a little investigating first, please do this:

1) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT.exe, call it CMPSBayArea.exe or whatever you wish. It will look like this:
C:\Program Files\Trend Micro\HijackThis\CMPSBayArea.exe

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post the C:\rapport.txt and a new HJT log.

Thanks

Hey pskelley,

Thanks for responding so soon! I really appreciate your help. Here are the two files you asked for...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:01 AM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows NT\hoxypudo22011.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06F2BE16-571E-4486-B7B4-FEEF8D58D843} - C:\WINDOWS\system32\vtutt.dll
O2 - BHO: 0 - {37C64C30-3817-47DD-FAB6-AAF7C5DFBD8E} - C:\Program Files\Messenger\lacusy155.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tesbyewe.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\gebxywx.dll
O2 - BHO: (no name) - {DEFB98C9-ADA9-483F-9157-54DA0E415F57} - C:\WINDOWS\system32\mljjk.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hoxypudo] C:\Program Files\Windows NT\hoxypudo22011.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://maxebrdi.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187393278250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bonanzagroupinc.com
O17 - HKLM\Software\..\Telephony: DomainName = bonanzagroupinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bonanzagroupinc.com
O20 - Winlogon Notify: gebxywx - C:\WINDOWS\SYSTEM32\gebxywx.dll
O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\prolyhdu.html

--
End of file - 7745 bytes

Then the other file...

SmitFraudFix v2.215

Scan done at 11:23:26.46, Wed 08/22/2007
Run from C:\Installers\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows NT\hoxypudo22011.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\administrator.BONANZAGROUPINC


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\administrator.BONANZAGROUPINC\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1.BON\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Messenger\\prolyhdu.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.10

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F17650CD-D174-4F93-B086-84DD553F8219}: DhcpNameServer=192.168.1.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F17650CD-D174-4F93-B086-84DD553F8219}: DhcpNameServer=192.168.1.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F17650CD-D174-4F93-B086-84DD553F8219}: DhcpNameServer=192.168.1.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.10
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.10
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.10


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks again!

Thanks for returning your information, not quite what I wanted with renaming HJT but it may work. Understand the hackers write their junk so it will not show up in a HJT log, hense the reason for renaming HJT.exe.

Let's start with this item: C:\Program Files\Windows NT\hoxypudo22011.exe
Do you have any idea what this is? If not, would you look in that folder and tell me what is there. You can use one or more of these scanners to scan the file and post the information for me.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Please read and follow the directions carefully.

1) Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Post the Vundofix report, combofix log and a new HJT log.

Thanks

Good Afternoon again,

I used the online scan to determine if it was a virus and the website confirmed that it was. After running VundoFix and Combofix, I went to the file again and it wasn't in the Windows NT folder anymore so I'm assuming it removed it.

Here is the HijackThis, I also renamed the HijackThis program from HJT.exe to CMPSBayArea.exe...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26, on 2007-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\CMPSBayArea.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {033D474C-9D0C-4259-9E7F-9B27E10A67E4} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06F2BE16-571E-4486-B7B4-FEEF8D58D843} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\gebxywx.dll
O2 - BHO: (no name) - {DEFB98C9-ADA9-483F-9157-54DA0E415F57} - C:\WINDOWS\system32\mljjk.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://maxebrdi.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187393278250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bonanzagroupinc.com
O17 - HKLM\Software\..\Telephony: DomainName = bonanzagroupinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bonanzagroupinc.com
O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll
O20 - Winlogon Notify: gebxywx - C:\WINDOWS\SYSTEM32\gebxywx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\prolyhdu.html

--
End of file - 7214 bytes

Here is the rest...

Here is the VundoFix log...

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:03:51 PM 8/22/2007

Listing files found while scanning....

C:\windows\system32\bupnbbxe.ini
C:\windows\system32\exbbnpub.dll
C:\WINDOWS\system32\tesbyewe.dll
C:\WINDOWS\system32\vtutt.dll

Beginning removal...

Attempting to delete C:\windows\system32\bupnbbxe.ini
C:\windows\system32\bupnbbxe.ini Has been deleted!

Attempting to delete C:\windows\system32\exbbnpub.dll
C:\windows\system32\exbbnpub.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tesbyewe.dll
C:\WINDOWS\system32\tesbyewe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Performing Repairs to the registry.
Done!

Here is the ComboFix log...

ComboFix 07-08-17.2 - "Administrator" 2007-08-22 12:11:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Messenger\lacusy.dll
C:\Program Files\Messenger\lacusy155.dll
C:\Program Files\Messenger\lacusy984.dll
C:\Program Files\Messenger\prolyhdu.html
C:\Program Files\Windows NT\hoxypudo22011.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\player.dll


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-22 12:13 6,473 ---hs---- C:\WINDOWS\system32\ayadd.bak1
2007-08-22 12:13 298,080 --a------ C:\WINDOWS\system32\ddaya.dll
2007-08-22 12:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-22 12:03 <DIR> d-------- C:\VundoFix Backups
2007-08-22 11:23 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-22 11:23 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-22 11:23 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-22 11:23 2,060 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-22 09:12 1,589,184 ---hs---- C:\WINDOWS\system32\ttutv.bak2
2007-08-21 16:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-21 13:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-21 13:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-21 13:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-21 13:15 6,473 ---hs---- C:\WINDOWS\system32\ttutv.bak1
2007-08-21 13:13 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-08-21 13:13 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-08-21 13:13 <DIR> d-------- C:\Program Files\Comodo
2007-08-21 13:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOC425
2007-08-21 11:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-21 09:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-18 12:26 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-08-17 16:43 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-17 16:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-17 15:03 43,542 --a------ C:\WINDOWS\system32\gebxywx.dll
2007-08-17 15:03 <DIR> d-------- C:\WINDOWS\system32\ICM3
2007-08-17 15:03 <DIR> d-------- C:\WINDOWS\system32\CC1
2007-08-17 15:03 <DIR> d-------- C:\WINDOWS\system32\bgfig5
2007-08-17 15:03 <DIR> d-------- C:\Temp
2007-08-13 16:41 <DIR> d-------- C:\WINDOWS\MVUNINST
2007-08-13 16:41 <DIR> d-------- C:\Program Files\Memorex exPressit Label Design Studio
2007-08-13 16:41 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-08-10 11:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BON\APPLIC~1\PDS
2007-08-09 17:50 1,064,960 --a------ C:\WINDOWS\system32\cdintf300.dll
2007-08-09 17:50 1,064,960 --a------ C:\WINDOWS\system32\acXMLParser.dll
2007-08-01 10:57 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-08-01 10:57 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-08-01 10:57 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-08-01 10:57 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-08-01 10:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-01 10:57 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-08-01 10:57 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-08-01 10:57 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-08-01 10:57 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-08-01 10:57 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-08-01 10:57 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-08-01 10:57 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-08-01 10:57 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-08-01 10:57 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-08-01 10:57 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-08-01 10:57 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-08-01 10:57 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-08-01 10:57 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-07-31 02:25 142,696 --a------ C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
2007-07-25 09:05 <DIR> d--hs---- C:\DOCUME~1\ADMINI~1.BON\UserData
2007-07-23 15:54 <DIR> d-------- C:\Program Files\Audio Mid Recorder
2007-07-23 15:53 <DIR> d-------- C:\SP
2007-07-23 15:53 <DIR> d-------- C:\Program Files\Snapshot Viewer
2007-07-23 15:51 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-07-23 15:51 <DIR> d-------- C:\Program Files\MtgCoach
2007-07-23 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BON\APPLIC~1\Corel Photo Album
2007-07-23 13:47 53,248 --a------ C:\WINDOWS\system32\Zlib.dll
2007-07-23 13:47 53,248 --a------ C:\WINDOWS\system32\Abyss.dll
2007-07-23 13:47 453,120 --a------ C:\WINDOWS\system32\stdvcl40.dll
2007-07-23 13:47 41,984 --a------ C:\WINDOWS\system32\ZFExt.dll
2007-07-23 13:47 345,536 --a------ C:\WINDOWS\system32\stdvcl32.dll
2007-07-23 13:47 20,992 --a------ C:\WINDOWS\system32\Iconz.dll
2007-07-23 13:47 20,569 --a------ C:\WINDOWS\system32\pxc25pm.dll
2007-07-23 13:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BON\APPLIC~1\AdobeUM
2007-07-23 13:33 61,500 --a------ C:\WINDOWS\system32\aucplmnt.dlL
2007-07-23 13:31 <DIR> d-------- C:\Program Files\Canon
2007-07-23 12:39 <DIR> d-------- C:\mp3's
2007-07-23 12:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BON\APPLIC~1\Research In Motion
2007-07-23 12:14 26,368 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2007-07-23 12:13 <DIR> d-------- C:\Program Files\Research In Motion
2007-07-23 12:13 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-07-23 12:08 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-07-23 12:08 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-07-23 11:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BON\APPLIC~1\AttachmentSecurity
2007-07-23 11:54 <DIR> d-------- C:\WINDOWS\AttachmentSecurity
2007-07-23 11:54 <DIR> d-------- C:\Program Files\AttachmentSecurity
2007-07-23 11:44 <DIR> d-------- C:\Bonanza Mortgage
2007-07-23 11:06 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-07-23 11:05 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-07-23 11:04 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-23 11:02 <DIR> dr-h----- C:\MSOCache
2007-07-23 10:47 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-07-23 10:46 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-23 10:45 <DIR> d-------- C:\Program Files\HP
2007-07-23 10:44 17,176 --------- C:\WINDOWS\hpomdl04.dat
2007-07-23 10:44 103,535 --a------ C:\WINDOWS\hpoins04.dat
2007-07-23 10:35 <DIR> d-------- C:\Installers
2007-07-23 09:41 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-07-23 09:36 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-23 09:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 12:15 --------- d-------- C:\Program Files\Windows NT
2007-08-22 12:15 --------- d-------- C:\Program Files\Messenger
2007-08-21 14:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-21 14:18 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-07-23 15:51 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 15:22 4184 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-23 15:22 104 -r-hs---- C:\WINDOWS\system32\57DE679C56.sys
2007-07-23 10:28 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-07-23 10:28 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-07-11 12:05 91136 --a------ C:\WINDOWS\system32\saxcom32.dll
2007-07-11 12:05 45568 --a------ C:\WINDOWS\system32\saxxfr32.dll
2007-07-11 12:05 172032 --a------ C:\WINDOWS\system32\SAXFile.dll
2007-07-11 12:05 137 --a------ C:\WINDOWS\system32\ini.bat
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 01:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 01:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 01:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 01:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 01:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{033D474C-9D0C-4259-9E7F-9B27E10A67E4}]
2007-08-22 12:13 298080 --a------ C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06F2BE16-571E-4486-B7B4-FEEF8D58D843}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-17 15:03 43542 --a------ C:\WINDOWS\system32\gebxywx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEFB98C9-ADA9-483F-9157-54DA0E415F57}]
C:\WINDOWS\system32\mljjk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-04-16 17:06]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-04-16 17:06]
"eTrust PestPatrol Active Protection"="C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2004-09-27 07:09]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-21 13:58]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

C:\Documents and Settings\administrator.BONANZAGROUPINC\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-12-14 17:17:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\prolyhdu.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\gebxywx.dll [2007-08-17 15:03 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya]
C:\WINDOWS\system32\ddaya.dll 2007-08-22 12:13 298080 C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxywx]
gebxywx.dll 2007-08-17 15:03 43542 C:\WINDOWS\system32\gebxywx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Intuit Fuse Service"=3 (0x3)
"AOL ACS"=2 (0x2)

R3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
S4 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe"


Contents of the 'Scheduled Tasks' folder
2007-04-14 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D9GLX191-Peter).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
2007-04-14 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D9GLX191-Rigo).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 12:18:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 12:20:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-22 12:20

--- E O F ---

Thank you very much pskelley!

Thanks for that feedback, I thought about mentioning combofix might remove the item. I checked my
C:\Program Files\Windows NT\ folder on Windows XP Pro and I have the same folder with valid files and folders in it in case you have questions about what should be there.

We still have more work to do, let me show you what is left in the HJT log:
O2 - BHO: (no name) - {033D474C-9D0C-4259-9E7F-9B27E10A67E4} - C:\WINDOWS\system32\ddaya.dll
O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\gebxywx.dll
O20 - Winlogon Notify: gebxywx - C:\WINDOWS\SYSTEM32\gebxywx.dll

So you will know, the tough ones to kill are the 020 Winlogon because of when they log on to windows. I explained how the hackers keep randomly naming their junk and you may not have run the Vundofix enough to remove them. In any case, would you follow the directions I posted earlier and upload those to Atribune so he can add them to the fix, then we will remove them like this:

Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.

Here are the file you will add:

C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\SYSTEM32\gebxywx.dll

Restart the computer once this is done, post the Vundofix report and a new HJT log.

Thanks

No response since 8/22/2007? Are your issues resolved?

Thanks:)

This topic is closed due to lack of a response.

Thanks