PDA

View Full Version : Yes, Vitumonde has me also. Please help.



JoshProto23
2008-03-19, 18:58
Hello Helpers,

My computer was infiltrated by the nasty Vitumonde recently. Of course Spybot and NOD32 have been unable to delete it. I would be most thankful if someone here could assist me with the removal process.

There may be other infections also. For some reason, I now have problems accessing websites such as ebay, Amazon.com and others.

When trying to access these sites I see messages such as these in my browser:

Waiting for include.ebaystatic.com
Waiting for z-ecx.images-amazon.com
Waiting for x.myspacecdn.com

Also, it may be helpful to know that NOD32 pops up whenever I turn on my computer and displays the following message:

Threat detected

Alert details
File:
C:\WINDOWS\system32\wvuspnm.dll

Threat:
Win32/Adware.Virtumonde application

Comment
The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. Event occurred at an attempt to access the file by the application: \??\C:\WINDOWS\system32\winlogon.exe.

There are also times when the Spybot teatimers pop up continuously.

I will post my Kaspersky and HijackThis logs below.

Thank you very much for your assistance. :angel:

JoshProto23
2008-03-19, 18:59
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 19, 2008 2:57:32 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/03/2008
Kaspersky Anti-Virus database records: 639844
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 69790
Number of viruses found: 12
Number of infected objects: 57
Number of suspicious objects: 0
Duration of the scan process: 01:00:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\cert8.db Object is locked skipped
C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\history.dat Object is locked skipped
C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\key3.db Object is locked skipped
C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\parent.lock Object is locked skipped
C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Russell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Desktop\backups\backup-20080208-210407-348.dll Infected: not-a-virus:AdWare.Win32.BHO.si skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Mozilla\Firefox\Profiles\sw48k1zf.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\History\History.IE5\MSHist012008031920080320\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russell\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\cache\FND0.NFI/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\ESET\cache\FND0.NFI NSIS: infected - 1 skipped
C:\Program Files\ESET\cache\FND0.NFI PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\cache\FND2.NFI/data0006 Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Program Files\ESET\cache\FND2.NFI NSIS: infected - 1 skipped
C:\Program Files\ESET\cache\FND2.NFI PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\cache\FND3.NFI Infected: Trojan-Downloader.Win32.Agent.krh skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\XP Smoker\shutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\QooBox\Quarantine\catchme2008-02-08_211134.53.zip/tosbtsd22.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-02-08_211134.53.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP406\A0086992.exe Infected: not-a-virus:AdWare.Win32.BHO.xv skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP408\A0087063.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP408\A0087063.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP408\A0087064.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP408\A0087112.exe Infected: not-a-virus:AdWare.Win32.BHO.xv skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP408\A0087278.exe Infected: not-a-virus:AdWare.Win32.BHO.xv skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP409\A0087442.exe Infected: not-a-virus:AdWare.Win32.BHO.xv skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0090237.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0090298.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0091323.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0093327.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0093371.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0094374.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0094414.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0094614.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0094633.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0094664.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0095670.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095691.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095691.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095700.exe Infected: Trojan-Downloader.Win32.Agent.kub skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095706.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095710.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095810.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP436\A0098986.dll Infected: not-a-virus:AdWare.Win32.BHO.si skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP437\A0099076.exe/file39 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP437\A0099076.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP463\A0103658.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP464\A0103970.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP467\A0104654.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP469\A0104881.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP471\A0104936.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP471\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D42E0B79-7202-4E9B-AE0A-6A53792BF44D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bdgylfts.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\bfmitpyr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fcamplqu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gxlmaalg.dll Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hhlqmoxl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\jowfcgbd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\jqjsbhho.dll Object is locked skipped
C:\WINDOWS\system32\kavpvluq.dll Object is locked skipped
C:\WINDOWS\system32\kjllm.ini Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mlljk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\nlgvjvql.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\rgltnenn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\thscdmeg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\tvoidsnx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\tynlodcl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ujxfvwux.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ursvftho.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\vqovodfb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wtmnixme.dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V00dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V01dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V02dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V03dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V04dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V05dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V06dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V07dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V08dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V09dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V10dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V11dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V12dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V13dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V14dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V15dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V16dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V17dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V18dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V19dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V20dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V21dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V22dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V23dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.Vdll Object is locked skipped
C:\WINDOWS\system32\xoamswde.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

JoshProto23
2008-03-19, 19:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:30 AM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [d8f4876f] rundll32.exe "C:\WINDOWS\system32\vcjxhftj.dll",b
O4 - HKLM\..\Run: [BMdbc7b4f3] Rundll32.exe "C:\WINDOWS\system32\wrggihrq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6004 bytes

pskelley
2008-03-20, 12:57
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

JoshProto23
2008-03-20, 18:45
VundoFix V7.0.3

Scan started at 11:54:04 AM 3/20/2008

Listing files found while scanning....

C:\windows\system32\kjllm.ini
C:\windows\system32\kjllm.ini2
C:\windows\system32\mlljk.dll

Beginning removal...

Attempting to delete C:\windows\system32\kjllm.ini
C:\windows\system32\kjllm.ini Has been deleted!

Attempting to delete C:\windows\system32\kjllm.ini2
C:\windows\system32\kjllm.ini2 Has been deleted!

Attempting to delete C:\windows\system32\mlljk.dll
C:\windows\system32\mlljk.dll Has been deleted!

Performing Repairs to the registry.
Done!

JoshProto23
2008-03-20, 18:48
ComboFix 08-03-18.1 - Russell 2008-03-20 12:29:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1515 [GMT -4:00]
Running from: C:\Documents and Settings\Russell\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kmd.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aixueqle.dll
C:\WINDOWS\system32\bdgylfts.dll
C:\WINDOWS\system32\bfmitpyr.dll
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\dqsxawat.ini
C:\WINDOWS\system32\fcamplqu.dll
C:\WINDOWS\system32\fikthhje.dll
C:\WINDOWS\system32\hhlqmoxl.dll
C:\WINDOWS\system32\jokrthiw.ini
C:\WINDOWS\system32\jowfcgbd.dll
C:\WINDOWS\system32\lxomqlhh.ini
C:\WINDOWS\system32\nlgvjvql.dll
C:\WINDOWS\system32\nnentlgr.ini
C:\WINDOWS\system32\odhnglwy.dll
C:\WINDOWS\system32\rgltnenn.dll
C:\WINDOWS\system32\skkxhnfk.dll
C:\WINDOWS\system32\tawaxsqd.dll
C:\WINDOWS\system32\thscdmeg.dll
C:\WINDOWS\system32\tvoidsnx.dll
C:\WINDOWS\system32\tynlodcl.dll
C:\WINDOWS\system32\ujxfvwux.dll
C:\WINDOWS\system32\ursvftho.dll
C:\WINDOWS\system32\voemesaw.dll
C:\WINDOWS\system32\vqovodfb.dll
C:\WINDOWS\system32\wihtrkoj.dll
C:\WINDOWS\system32\wrggihrq.dll
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\xoamswde.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-20 11:54 . 2008-03-20 12:15 <DIR> d-------- C:\VundoFix Backups
2008-03-19 01:24 . 2008-03-19 01:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-19 01:24 . 2008-03-19 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 00:53 . 2008-03-19 00:52 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-19 00:53 . 2008-03-19 00:53 2,548 --a------ C:\WINDOWS\unins000.dat
2008-03-18 23:17 . 2008-03-19 21:18 2,389,938 --ahs---- C:\WINDOWS\system32\jtfhxjcv.ini
2008-03-16 21:48 . 2008-03-17 23:05 1,359,787 --ahs---- C:\WINDOWS\system32\bbhddbav.ini
2008-03-15 20:21 . 2008-03-16 21:43 1,367,163 --ahs---- C:\WINDOWS\system32\tcwtvqul.ini
2008-03-15 20:17 . 2008-03-15 20:17 98,368 --a------ C:\WINDOWS\system32\kavpvluq.dll
2008-03-13 20:21 . 2008-03-14 11:19 1,346,750 --ahs---- C:\WINDOWS\system32\jduyossy.ini
2008-03-13 13:28 . 2008-03-16 00:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-13 13:28 . 2008-03-13 13:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-13 01:16 . 2008-03-13 01:16 36,352 --a------ C:\WINDOWS\system32\wvuspnm.V23dll
2008-03-12 21:49 . 2008-03-12 21:49 36,352 --a------ C:\WINDOWS\system32\wvuspnm.V22dll
2008-03-12 21:38 . 2008-03-12 21:38 36,352 --a------ C:\WINDOWS\system32\wvuspnm.V21dll
2008-03-12 21:36 . 2008-03-12 21:36 36,352 --a------ C:\WINDOWS\system32\wvuspnm.Vdll
2008-03-11 23:01 . 2008-03-11 23:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-11 17:38 . 2008-03-13 11:36 1,321,480 --ahs---- C:\WINDOWS\system32\emxinmtw.ini
2008-03-11 17:38 . 2008-03-11 17:38 86,592 --a------ C:\WINDOWS\system32\wtmnixme.dll
2008-03-11 17:35 . 2008-03-11 17:35 93,248 --a------ C:\WINDOWS\system32\jqjsbhho.dll
2008-03-11 17:32 . 2008-03-11 17:32 90,688 --a------ C:\WINDOWS\system32\gxlmaalg.dll
2008-03-10 17:35 . 2008-03-11 17:06 1,315,590 --ahs---- C:\WINDOWS\system32\xivpadaw.ini
2008-03-07 12:15 . 2008-03-07 12:15 1,307,561 --ahs---- C:\WINDOWS\system32\ocvyqjej.ini
2008-03-07 02:11 . 2008-03-07 02:11 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-07 02:10 . 2008-03-07 02:10 36,352 --a------ C:\WINDOWS\system32\wvuspnm.dll
2008-02-23 16:17 . 2007-08-21 10:58 146,944 --a------ C:\WINDOWS\system32\st325602.dll
2008-02-23 14:08 . 2008-03-18 23:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 13:12 . 2000-12-05 10:11 4,174,814 --a------ C:\WINDOWS\system32\ct4mgm.sf2
2008-02-23 13:12 . 2005-05-25 18:34 158,464 --a------ C:\WINDOWS\system32\drivers\ctusfsyn.sys
2008-02-23 13:12 . 2005-01-10 19:15 138,752 --a------ C:\WINDOWS\system32\drivers\ctsfm2k.sys
2008-02-23 13:12 . 2005-01-10 19:15 115,200 --a------ C:\WINDOWS\system32\sfms32.dll
2008-02-23 13:12 . 2005-01-10 19:15 106,496 --a------ C:\WINDOWS\system32\drivers\ctoss2k.sys
2008-02-23 13:12 . 2005-01-10 19:15 20,992 --a------ C:\WINDOWS\system32\sfman32.dll
2008-02-23 13:12 . 2002-01-03 00:44 59 --a------ C:\WINDOWS\system32\default4.sfm
2008-02-23 13:11 . 2006-01-18 23:07 160,768 --a------ C:\WINDOWS\system32\cifilter.dll
2008-02-23 13:11 . 2005-12-07 12:34 40,448 --a------ C:\WINDOWS\system32\CiEcho.dll
2008-02-23 13:11 . 2005-10-29 20:42 11,776 --a------ C:\WINDOWS\inres.dll
2008-02-23 01:13 . 2008-02-23 01:13 <DIR> d-------- C:\Program Files\Creative
2008-02-23 01:13 . 2006-01-04 16:41 1,389,056 --a------ C:\WINDOWS\system32\drivers\monfilt.sys
2008-02-23 01:13 . 2006-01-19 10:49 22,629 --a------ C:\WINDOWS\system32\CiFilter.ini
2008-02-23 01:13 . 2008-02-23 13:12 424 -rah----- C:\WINDOWS\ctfile.rfc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 04:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-19 03:20 --------- d-----w C:\Program Files\ESET
2008-03-12 03:57 --------- d-----w C:\Program Files\Common Files\Real
2008-02-23 20:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 18:06 --------- d-----w C:\Program Files\Ace Utilities
2008-02-14 20:06 --------- d-----w C:\Documents and Settings\Russell\Application Data\ArcSoft
2008-02-14 19:54 --------- d-----w C:\Documents and Settings\Russell\Application Data\Canon
2008-02-14 19:46 --------- d-----w C:\Program Files\Canon
2008-02-14 19:45 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-02-14 19:45 --------- d-----w C:\Documents and Settings\Russell\Application Data\ScanSoft
2008-02-14 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-02-14 19:44 --------- d-----w C:\Program Files\ScanSoft
2008-02-14 19:42 --------- d-----w C:\Program Files\ArcSoft
2008-02-14 19:39 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-02-14 19:38 --------- d--h--w C:\Program Files\CanonBJ
2008-02-12 06:09 --------- d-----w C:\Program Files\Google
2008-02-09 02:41 --------- d-----w C:\Program Files\XP Smoker
2008-01-20 07:12 --------- d-----w C:\Documents and Settings\Russell\Application Data\InstallShield
2008-01-14 21:48 681,984 ----a-w C:\WINDOWS\is-E4S7I.exe
2008-01-14 03:00 246 ----a-w C:\Program Files\Common Files\lacu
2007-02-03 02:01 56 --sha-r C:\WINDOWS\system32\388022A7CC.sys
2007-02-27 07:15 88 --sha-r C:\WINDOWS\system32\CCA7228038.sys
2007-02-27 07:15 6,216 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

<pre>
----a-w 313,472 2008-01-14 06:47:25 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 61,440 2008-01-14 06:47:16 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy .exe
----a-w 45,056 2008-01-14 06:47:12 C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w 81,920 2008-01-14 06:47:16 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w 49,152 2008-01-14 06:47:12 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 460,784 2008-01-14 06:47:27 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 696,320 2008-01-14 06:47:20 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w 802,816 2008-01-14 06:47:21 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w 267,064 2008-01-14 06:47:20 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2008-01-14 04:32:16 C:\Program Files\Messenger\msmsgs .exe
----a-w 761,947 2008-01-14 06:47:14 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 67,584 2008-01-14 06:47:10 C:\WINDOWS\ehome\ehtray .exe
----a-w 122,941 2008-01-14 06:47:17 C:\WINDOWS\system32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014f5f82-2d71-45ac-98c9-d78976fa1812}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16F1EFD4-D9EE-47CE-AD44-5A97D0063803}]
C:\WINDOWS\system32\mlljk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B2A5AA0-7BE2-4612-83E9-425D05F079E4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22342B44-5B98-4B30-9D53-C182AD8DF217}]
2008-03-07 02:10 36352 --a------ C:\WINDOWS\system32\wvuspnm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-16 22:52 949376]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 21:40 1197648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2007-05-14 15:23 1191936]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{22342B44-5B98-4B30-9D53-C182AD8DF217}"= C:\WINDOWS\system32\wvuspnm.dll [2008-03-07 02:10 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuspnm]
wvuspnm.dll 2008-03-07 02:10 36352 C:\WINDOWS\system32\wvuspnm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 AngelUsb;Angel USB MPEG Device;C:\WINDOWS\system32\DRIVERS\AngelUsb.sys [2005-02-17 10:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ffdf6fc-c474-11dc-9d80-0015c50f5836}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ffdf6fd-c474-11dc-9d80-0015c50f5836}]
\Shell\AutoRun\command - setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 18:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 12:35:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\wvuspnm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
.
**************************************************************************
.
Completion time: 2008-03-20 12:38:01 - machine was rebooted [Russell]
ComboFix-quarantined-files.txt 2008-03-20 16:37:55
ComboFix2.txt 2008-02-09 02:13:32
ComboFix3.txt 2008-01-17 00:16:56
.
2008-03-18 00:09:15 --- E O F ---

JoshProto23
2008-03-20, 18:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:27 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16F1EFD4-D9EE-47CE-AD44-5A97D0063803} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\system32\wvuspnm.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: wvuspnm - C:\WINDOWS\SYSTEM32\wvuspnm.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6736 bytes

pskelley
2008-03-20, 19:24
You have a nasty file infector variety of Vundo, wish us luck.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Open notepad and copy/paste the text in the codebox below into it:


RenV::
----a-w 313,472 2008-01-14 06:47:25 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 61,440 2008-01-14 06:47:16 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy .exe
----a-w 45,056 2008-01-14 06:47:12 C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w 81,920 2008-01-14 06:47:16 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w 49,152 2008-01-14 06:47:12 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 460,784 2008-01-14 06:47:27 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 696,320 2008-01-14 06:47:20 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w 802,816 2008-01-14 06:47:21 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w 267,064 2008-01-14 06:47:20 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2008-01-14 04:32:16 C:\Program Files\Messenger\msmsgs .exe
----a-w 761,947 2008-01-14 06:47:14 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 67,584 2008-01-14 06:47:10 C:\WINDOWS\ehome\ehtray .exe
----a-w 122,941 2008-01-14 06:47:17 C:\WINDOWS\system32\dla\tfswctrl .exe

File::
C:\WINDOWS\system32\wvuspnm.dll

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks

JoshProto23
2008-03-20, 19:58
ComboFix 08-03-18.1 - Russell 2008-03-20 13:44:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1551 [GMT -4:00]
Running from: C:\Documents and Settings\Russell\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Russell\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\wvuspnm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wvuspnm.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-20 11:54 . 2008-03-20 12:15 <DIR> d-------- C:\VundoFix Backups
2008-03-19 01:24 . 2008-03-19 01:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-19 01:24 . 2008-03-19 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 00:53 . 2008-03-19 00:52 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-19 00:53 . 2008-03-19 00:53 2,548 --a------ C:\WINDOWS\unins000.dat
2008-03-18 23:17 . 2008-03-19 21:18 2,389,938 --ahs---- C:\WINDOWS\system32\jtfhxjcv.ini
2008-03-16 21:48 . 2008-03-17 23:05 1,359,787 --ahs---- C:\WINDOWS\system32\bbhddbav.ini
2008-03-15 20:21 . 2008-03-16 21:43 1,367,163 --ahs---- C:\WINDOWS\system32\tcwtvqul.ini
2008-03-15 20:17 . 2008-03-15 20:17 98,368 --a------ C:\WINDOWS\system32\kavpvluq.dll
2008-03-13 20:21 . 2008-03-14 11:19 1,346,750 --ahs---- C:\WINDOWS\system32\jduyossy.ini
2008-03-13 13:28 . 2008-03-16 00:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-13 13:28 . 2008-03-13 13:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-13 01:16 . 2008-03-13 01:16 36,352 --a------ C:\WINDOWS\system32\wvuspnm.V23dll
2008-03-12 21:49 . 2008-03-12 21:49 36,352 --a------ C:\WINDOWS\system32\wvuspnm.V22dll
2008-03-12 21:38 . 2008-03-12 21:38 36,352 --a------ C:\WINDOWS\system32\wvuspnm.V21dll
2008-03-12 21:36 . 2008-03-12 21:36 36,352 --a------ C:\WINDOWS\system32\wvuspnm.Vdll
2008-03-11 23:01 . 2008-03-11 23:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-11 17:38 . 2008-03-13 11:36 1,321,480 --ahs---- C:\WINDOWS\system32\emxinmtw.ini
2008-03-11 17:38 . 2008-03-11 17:38 86,592 --a------ C:\WINDOWS\system32\wtmnixme.dll
2008-03-11 17:35 . 2008-03-11 17:35 93,248 --a------ C:\WINDOWS\system32\jqjsbhho.dll
2008-03-11 17:32 . 2008-03-11 17:32 90,688 --a------ C:\WINDOWS\system32\gxlmaalg.dll
2008-03-10 17:35 . 2008-03-11 17:06 1,315,590 --ahs---- C:\WINDOWS\system32\xivpadaw.ini
2008-03-07 12:15 . 2008-03-07 12:15 1,307,561 --ahs---- C:\WINDOWS\system32\ocvyqjej.ini
2008-03-07 02:11 . 2008-03-07 02:11 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-02-23 16:17 . 2007-08-21 10:58 146,944 --a------ C:\WINDOWS\system32\st325602.dll
2008-02-23 14:08 . 2008-03-18 23:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 13:12 . 2000-12-05 10:11 4,174,814 --a------ C:\WINDOWS\system32\ct4mgm.sf2
2008-02-23 13:12 . 2005-05-25 18:34 158,464 --a------ C:\WINDOWS\system32\drivers\ctusfsyn.sys
2008-02-23 13:12 . 2005-01-10 19:15 138,752 --a------ C:\WINDOWS\system32\drivers\ctsfm2k.sys
2008-02-23 13:12 . 2005-01-10 19:15 115,200 --a------ C:\WINDOWS\system32\sfms32.dll
2008-02-23 13:12 . 2005-01-10 19:15 106,496 --a------ C:\WINDOWS\system32\drivers\ctoss2k.sys
2008-02-23 13:12 . 2005-01-10 19:15 20,992 --a------ C:\WINDOWS\system32\sfman32.dll
2008-02-23 13:12 . 2002-01-03 00:44 59 --a------ C:\WINDOWS\system32\default4.sfm
2008-02-23 13:11 . 2006-01-18 23:07 160,768 --a------ C:\WINDOWS\system32\cifilter.dll
2008-02-23 13:11 . 2005-12-07 12:34 40,448 --a------ C:\WINDOWS\system32\CiEcho.dll
2008-02-23 13:11 . 2005-10-29 20:42 11,776 --a------ C:\WINDOWS\inres.dll
2008-02-23 01:13 . 2008-02-23 01:13 <DIR> d-------- C:\Program Files\Creative
2008-02-23 01:13 . 2006-01-04 16:41 1,389,056 --a------ C:\WINDOWS\system32\drivers\monfilt.sys
2008-02-23 01:13 . 2006-01-19 10:49 22,629 --a------ C:\WINDOWS\system32\CiFilter.ini
2008-02-23 01:13 . 2008-02-23 13:12 424 -rah----- C:\WINDOWS\ctfile.rfc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 17:44 --------- d-----w C:\Program Files\iTunes
2008-03-20 17:44 --------- d-----w C:\Program Files\DellSupport
2008-03-19 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 04:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-19 03:20 --------- d-----w C:\Program Files\ESET
2008-03-12 03:57 --------- d-----w C:\Program Files\Common Files\Real
2008-02-23 20:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 18:06 --------- d-----w C:\Program Files\Ace Utilities
2008-02-14 20:06 --------- d-----w C:\Documents and Settings\Russell\Application Data\ArcSoft
2008-02-14 19:54 --------- d-----w C:\Documents and Settings\Russell\Application Data\Canon
2008-02-14 19:46 --------- d-----w C:\Program Files\Canon
2008-02-14 19:45 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-02-14 19:45 --------- d-----w C:\Documents and Settings\Russell\Application Data\ScanSoft
2008-02-14 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-02-14 19:44 --------- d-----w C:\Program Files\ScanSoft
2008-02-14 19:42 --------- d-----w C:\Program Files\ArcSoft
2008-02-14 19:39 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-02-14 19:38 --------- d--h--w C:\Program Files\CanonBJ
2008-02-12 06:09 --------- d-----w C:\Program Files\Google
2008-02-09 02:41 --------- d-----w C:\Program Files\XP Smoker
2008-01-20 07:12 --------- d-----w C:\Documents and Settings\Russell\Application Data\InstallShield
2008-01-14 21:48 681,984 ----a-w C:\WINDOWS\is-E4S7I.exe
2008-01-14 03:00 246 ----a-w C:\Program Files\Common Files\lacu
2007-02-03 02:01 56 --sha-r C:\WINDOWS\system32\388022A7CC.sys
2007-02-27 07:15 88 --sha-r C:\WINDOWS\system32\CCA7228038.sys
2007-02-27 07:15 6,216 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-20_12.37.21.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-14 06:47:10 67,584 ----a-w C:\WINDOWS\ehome\ehtray.exe
+ 2008-01-14 06:47:17 122,941 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16F1EFD4-D9EE-47CE-AD44-5A97D0063803}]
C:\WINDOWS\system32\mlljk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-16 22:52 949376]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 21:40 1197648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2007-05-14 15:23 1191936]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuspnm]
wvuspnm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 AngelUsb;Angel USB MPEG Device;C:\WINDOWS\system32\DRIVERS\AngelUsb.sys [2005-02-17 10:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ffdf6fc-c474-11dc-9d80-0015c50f5836}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ffdf6fd-c474-11dc-9d80-0015c50f5836}]
\Shell\AutoRun\command - setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 18:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 13:49:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
.
**************************************************************************
.
Completion time: 2008-03-20 13:51:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 17:51:18
ComboFix2.txt 2008-03-20 16:38:02
ComboFix3.txt 2008-02-09 02:13:32
ComboFix4.txt 2008-01-17 00:16:56
.
2008-03-18 00:09:15 --- E O F ---

JoshProto23
2008-03-20, 20:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:01 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16F1EFD4-D9EE-47CE-AD44-5A97D0063803} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: wvuspnm - wvuspnm.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6495 bytes

pskelley
2008-03-20, 21:10
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {16F1EFD4-D9EE-47CE-AD44-5A97D0063803} - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: wvuspnm - wvuspnm.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

How is the computer running?

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.

Thanks

JoshProto23
2008-03-20, 22:06
I performed the HijackThis scan, selected the two line items and clicked "Fix Checked".

I also went ahead and installed the Recovery Console just to be on the safe side. (Thanks for tipping me off on this.) I rebooted to make sure the Recovery Console prompt was there..and it was.

Finally, I ran ATF Cleaner and emptied all of the selections.

My computer seems to be running much better now. We must be getting pretty close. Thanks so much for continuing to work with me!

pskelley
2008-03-20, 22:19
Sounds good, we have some infected System Restore files to clean so expect that, first remove Vundofix, C:\Vundofix Backups\, combofix and the C:\Qoobox\Quarantine\ folder, then run a new Kaspersky Online Scan using these settings.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

JoshProto23
2008-03-20, 23:41
After the Kaspersky scan was completed, NOD32 popped-up saying a threat was detected.

Alert details
File:
C:\WINDOWS\system32\gxlmaalg.dll

Threat:
Win32/Adware.AdMedia application

I haven't taken any action to delete the threat. I will wait for you instructions.

Here are the Kaspersky scan results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 20, 2008 5:26:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/03/2008
Kaspersky Anti-Virus database records: 583949
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 70705
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:54:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\History\History.IE5\MSHist012008032020080321\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russell\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\cache\FND0.NFI/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\ESET\cache\FND0.NFI NSIS: infected - 1 skipped
C:\Program Files\ESET\cache\FND0.NFI PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\cache\FND2.NFI/data0006 Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Program Files\ESET\cache\FND2.NFI NSIS: infected - 1 skipped
C:\Program Files\ESET\cache\FND2.NFI PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\cache\FND3.NFI Infected: Trojan-Downloader.Win32.Agent.krh skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095700.exe Infected: Trojan-Downloader.Win32.Agent.kub skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP473\A0107217.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP473\A0107221.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP475\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{034DAA04-17ED-45D3-803E-75DF01A55545}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D790FBBF-AAE2-4BB8-A096-6181CAB01700}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\gxlmaalg.dll Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jqjsbhho.dll Object is locked skipped
C:\WINDOWS\system32\kavpvluq.dll Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wtmnixme.dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V00dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V01dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V02dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V03dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V04dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V05dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V06dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V07dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V08dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V09dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V10dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V11dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V12dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V13dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V14dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V15dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V16dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V17dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V18dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V19dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V20dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V21dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V22dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.V23dll Object is locked skipped
C:\WINDOWS\system32\wvuspnm.Vdll Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-03-21, 00:05
Thanks for returning your information.

1) C:\Program Files\ESET\cache\ <<< delete the contents of the ESET cache

2) When everything else is finished, use the information in the link to reset your System Restore files.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\A0095700.exe ------> Trojan-Downloader.Win32.Agent.kub
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

3) Indulge me a bit here, I am going to ask you to check these items, I am not sure why Kaspersky is saying they are "Locked Objects".
I am under the impression the user sets this condition? Here are all items showing as "Locked"

C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare <<< scan that file

(scan each of these)
C:\WINDOWS\system32\gxlmaalg.dll
C:\WINDOWS\system32\jqjsbhho.dll
C:\WINDOWS\system32\kavpvluq.dll
C:\WINDOWS\system32\wtmnixme.dll

(scan one or two of these to establish what they are)
C:\WINDOWS\system32\wvuspnm.V00dll
C:\WINDOWS\system32\wvuspnm.V01dll
C:\WINDOWS\system32\wvuspnm.V02dll
C:\WINDOWS\system32\wvuspnm.V03dll
C:\WINDOWS\system32\wvuspnm.V04dll
C:\WINDOWS\system32\wvuspnm.V05dll
C:\WINDOWS\system32\wvuspnm.V06dll
C:\WINDOWS\system32\wvuspnm.V07dll
C:\WINDOWS\system32\wvuspnm.V08dll
C:\WINDOWS\system32\wvuspnm.V09dll
C:\WINDOWS\system32\wvuspnm.V10dll
C:\WINDOWS\system32\wvuspnm.V11dll
C:\WINDOWS\system32\wvuspnm.V12dll
C:\WINDOWS\system32\wvuspnm.V13dll
C:\WINDOWS\system32\wvuspnm.V14dll
C:\WINDOWS\system32\wvuspnm.V15dll
C:\WINDOWS\system32\wvuspnm.V16dll
C:\WINDOWS\system32\wvuspnm.V17dll
C:\WINDOWS\system32\wvuspnm.V18dll
C:\WINDOWS\system32\wvuspnm.V19dll
C:\WINDOWS\system32\wvuspnm.V20dll
C:\WINDOWS\system32\wvuspnm.V21dll
C:\WINDOWS\system32\wvuspnm.V22dll
C:\WINDOWS\system32\wvuspnm.V23dll
C:\WINDOWS\system32\wvuspnm.Vdll

Here are free online scanners, use one or more until you establish what the file is.

http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Let me know what you find out and if any scan as infected, delete them if you can.
I have been looking at the wvuspnm items since we started, wondering what they are.

Thanks

JoshProto23
2008-03-21, 00:21
1) C:\Program Files\ESET\cache\ <<< delete the contents of the ESET cache

I tried to delete the contents of the ESET cache but a file named "CACHE.NDB" would not delete. An alert comes up and says that the file is being used by another person or program. I rebooted and tried deleting again but it still would not delete. Is it OK to continue with the rest of the steps you asked me to do? Thanks.

pskelley
2008-03-21, 00:30
While I understand it is a very good product, I have never used it and a quick Google returned no information about the cache.
I suggest you ask: http://www.eset.com/
or try a free forum:
http://www.wilderssecurity.com/forumdisplay.php?f=15
http://www.google.com/search?hl=en&q=ESET+help+forum&btnG=Search

pskelley
2008-03-21, 01:09
Looks like that one is valid:
Index of /cache/ndb/
and these were the infected files:
C:\Program Files\ESET\cache\FND0.NFI
C:\Program Files\ESET\cache\FND2.NFI
C:\Program Files\ESET\cache\FND3.NFI
http://www.google.com/search?hl=en&q=FND0.NFI&btnG=Search

Hope that helps...

JoshProto23
2008-03-21, 01:54
Great! Thank you for finding that information. I was waiting on responses from the NOD32 forums but I will now proceed with your other instructions.

JoshProto23
2008-03-21, 02:09
It appears that NOD32 has deleted the infected files. I'll perform another Kaspersky scan to make sure they truly are gone.

JoshProto23
2008-03-21, 03:02
Here are the new Kaspersky scan results. Looks like it didn't find any viruses this time. We can pickup from this point tomorrow (Friday) if you like or keep going. Thanks sooo much.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 20, 2008 8:52:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/03/2008
Kaspersky Anti-Virus database records: 584963
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58945
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:44:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\History\History.IE5\MSHist012008032020080321\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russell\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP477\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{210C7362-47AB-437D-BCEF-EC290C1A0ACF}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-03-21, 11:28
Thanks for that feedback, are you saying NOD32 reemoved the items like this
"C:\WINDOWS\system32\wvuspnm.V00dll" or did you delete them manually? Did you manage to scan any to see what they were?

Are you having any malware issues now?

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

JoshProto23
2008-03-21, 17:31
It appears that much later in the removal process, NOD32 detected all of the items you asked me to check. I did not take any action at the time because I didn't know how it would disrupt the removal process that we were going through.

I decided last night to go ahead and ask NOD32 to delete it's findings. As I began deleting, I saw that the files it was deleting were the files you asked me to check. I then ran the last Kaspersky scan and a Spybot scan and both came up clear. I've also manually searched for these bad files and can't find them anywhere on my computer. Everything has been working great.

I'm not sure why NOD32 found those files so late in the process or what triggered it to do so. All I know is that I appreciate all of your help immensely! I actually learned a lot through this process and am very thankful to know that people like you are here to help.

Much Thanks! :2thumb:
Josh