I was using the following thread in the archives :http://forums.spybot.info/archive/index.php/t-23765.html but i got different results when running the scans. ComboFix.exe did not delete the file. here is my combofix log and hijack this log.


ComboFix 08-07-17.4 - robh 2008-07-18 11:27:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.438 [GMT -5:00]
Running from: C:\Documents and Settings\robh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\robh\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-18 11:31 . 2008-07-18 11:31 <DIR> d-------- C:\Temp\tn3
2008-07-18 09:19 . 2008-07-18 09:19 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-17 14:56 . 2008-07-18 11:32 932 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-07-07 10:11 . 2008-04-14 05:42 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-07-07 10:11 . 2008-04-14 05:42 1,306,624 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6.dll
2008-07-07 10:11 . 2008-04-14 05:41 233,472 --------- C:\WINDOWS\SYSTEM32\azroles.dll
2008-07-07 10:11 . 2008-04-14 05:41 136,192 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-07-07 10:11 . 2008-04-13 22:57 79,872 --------- C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-07-07 10:11 . 2008-04-13 22:57 79,872 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-07-07 10:11 . 2008-04-14 05:42 10,752 --------- C:\WINDOWS\SYSTEM32\smtpapi.dll
2008-07-07 10:11 . 2008-04-14 05:42 9,728 --------- C:\WINDOWS\SYSTEM32\rwnh.dll
2008-07-07 09:59 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys
2008-07-07 09:59 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-07-07 09:56 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003552_.tmp
2008-07-02 17:34 . 2008-07-07 10:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-02 17:34 . 2008-07-07 10:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-02 17:34 . 2008-07-07 10:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-07-02 17:34 . 2008-07-07 10:10 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-02 17:34 . 2008-04-14 05:42 539,136 --a------ C:\WINDOWS\SYSTEM32\SET10E6.tmp
2008-07-02 17:34 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\SYSTEM32\SET10B5.tmp
2008-07-02 17:34 . 2008-04-14 05:40 177,152 --a------ C:\WINDOWS\SYSTEM32\SET10E8.tmp
2008-07-02 17:34 . 2008-04-14 05:42 80,896 --a------ C:\WINDOWS\SYSTEM32\SET10B0.tmp
2008-07-02 17:34 . 2008-04-14 05:42 6,656 --a------ C:\WINDOWS\SYSTEM32\SET10AD.tmp
2008-07-02 17:27 . 2008-04-14 05:42 471,552 --a------ C:\WINDOWS\SYSTEM32\SET69B.tmp
2008-07-02 17:27 . 2008-04-14 05:41 95,744 --a------ C:\WINDOWS\SYSTEM32\SET6A1.tmp
2008-07-02 17:25 . 2008-04-14 05:41 1,267,200 --a------ C:\WINDOWS\SYSTEM32\SET4C1.tmp
2008-07-02 17:24 . 2008-04-14 05:41 1,082,368 --a------ C:\WINDOWS\SYSTEM32\SET451.tmp
2008-07-02 17:23 . 2008-04-14 05:42 3,066,880 --a------ C:\WINDOWS\SYSTEM32\SET399.tmp
2008-07-02 17:22 . 2008-04-14 05:42 1,703,936 --a------ C:\WINDOWS\SYSTEM32\SET352.tmp
2008-07-02 17:21 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\SYSTEM32\SET2B7.tmp
2008-07-02 17:20 . 2008-04-14 05:42 727,040 --a------ C:\WINDOWS\SYSTEM32\SET259.tmp
2008-07-02 17:19 . 2008-04-14 05:42 666,112 --a------ C:\WINDOWS\SYSTEM32\SET23C.tmp
2008-07-02 17:10 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005753_.tmp
2008-07-02 17:05 . 2008-04-14 05:42 409,088 --a------ C:\WINDOWS\SYSTEM32\qmgr.dll
2008-07-02 17:03 . 2008-04-14 00:57 2,188,928 --a------ C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-06-25 14:08 . 2008-07-15 22:39 <DIR> d-------- C:\SmitfraudFix
2008-06-25 00:19 . 2008-06-25 00:20 1,445,888 --a------ C:\WinsockxpFix.exe
2008-06-25 00:11 . 2008-06-25 14:42 <DIR> d-------- C:\backups
2008-06-24 18:04 . 2008-06-24 18:04 251,392 --a------ C:\hijackthis_sfx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 19:07 --------- d-----w C:\Documents and Settings\robh\Application Data\U3
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-13 15:00 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-12-27 20:53 285,396 ----a-w C:\Program Files\50calrev.gif
2006-05-01 15:42 563,712 ----a-w C:\Documents and Settings\Administrator\370_gotomypc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2005-08-06 19:45 974848]

C:\Documents and Settings\fasclampitt 2\Start Menu\Programs\Startup\
DESKTOP(2).INI [2002-09-03 14:36:04 84]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-09 20:04:10 117568]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\WSTDMessaging.exe [2007-12-13 16:55:54 65536]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-12-12 22:05:04 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DESKTOP(2).INI]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP(2).INI
backup=C:\WINDOWS\pss\DESKTOP(2).INICommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-16 14:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iGateway"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="C:\Program Files\Microsoft Games\DAEMON Tools Lite\daemon.exe"
"Sonic RecordNow!"=
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" -lang 1033
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"BCMSMMSG"=BCMSMMSG.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Realtime Monitor"="C:\Program Files\CA\eTrustITM\realmon.exe" -s
"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"runner1"=C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\UltraVNC\\winvnc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"C:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"C:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 netbtt;netbtt;C:\WINDOWS\system32\drivers\netbtt.sys [2008-05-08 14:50]
R2 Alert Notification Server;Alert Notification Server;C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE [2004-04-19 11:05]
R2 FwcAgent;Firewall Client Agent;C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe [2006-12-09 20:04]
S4 Win32Sr;Win32Sr;C:\WINDOWS\win32ssr.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b448d2a8-3956-11dd-ad26-000d56599d48}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 16:35:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 11:33:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
.
**************************************************************************
.
Completion time: 2008-07-18 11:41:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 16:41:46
ComboFix2.txt 2008-07-18 16:10:12

Pre-Run: 60,074,033,152 bytes free
Post-Run: 60,055,728,128 bytes free

163




----------------------------------------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 11:46, on 2008-07-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cpcvpn:8080/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cpcvpn:8080
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - Global Startup: Microsoft Firewall Client Management.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215604273551
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215604189783
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

is this problem the same as Virtumonde?
---------------------------------------------------
Edit:

but i got different results when running the scans.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar. Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)

Hello ravelink69

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.




Do not run any fixes on your own, read the stickies, there put there for a reason.

If you run Combofix on your own, this forum, myself and sUbs will not be responsible if your disable your system, its a very powerful tool that should be run with supervision, its not a general all purpose cleaning tool


Your version of HJT is outdated, drag it and Combofix to the trash and download the latest version of HJT by Trendmicro and post a new log.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

sorry i have been out of town, I will get a new HJT log in the next post in about 5 minutes.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55, on 2008-07-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\WINDOWS\system32\rundll32.exe
C:\Century\Wterm\Wterm32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\UPS\WSTD\WorldShipTD.exe
C:\UPS\WSTD\TDRptSrv.exe
C:\Century\Wterm\Wterm32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cpcvpn:8080/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cpcvpn:8080
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Global Startup: Microsoft Firewall Client Management.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215604273551
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215604189783
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 4435 bytes

Hello,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- Don't forget to do this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

Malwarebytes' Anti-Malware 1.23
Database version: 986
Windows 5.1.2600 Service Pack 3

12:25:49 2008-07-24
mbam-log-7-24-2008 (12-25-49).txt

Scan type: Quick Scan
Objects scanned: 45488
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\ljJATKdd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\opnlLDvW.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8c3428b2-0500-4e68-9297-7f238fe0cf55} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8c3428b2-0500-4e68-9297-7f238fe0cf55} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8d742974-dea8-40f2-9008-9baa973c958d} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8d742974-dea8-40f2-9008-9baa973c958d} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnlldvw (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{8d742974-dea8-40f2-9008-9baa973c958d} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjatkdd -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjatkdd -> Delete on reboot.

Folders Infected:
C:\WINDOWS\SYSTEM32\din3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\ljJATKdd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ddKTAJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ddKTAJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\netbtt.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\opnlLDvW.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\vtUnkiGV.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.


------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29, on 2008-07-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cpcvpn:8080/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cpcvpn:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Global Startup: Microsoft Firewall Client Management.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215604273551
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215604189783
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 4360 bytes

Looking Good :bigthumb:

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


How are things running now???

Looks good so far, havnt had any popups since the last set of instructions. Do you need anything else like logs from that computer?

I really appreciate you taking the time to help me out.

Looks like your good to go .

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Glad we could help

Safe Surfn
Ken